- Attackers exploited the React2Shell vulnerability and stole AWS credentials to access systems.
- Hackers searched cloud infrastructure for private keys, credentials, and exchange source code.
- Evidence and tactics point toward North Korean cyber groups targeting the crypto industry.
A sophisticated hacking campaign targeting the heart of the cryptocurrency industry has been exposed by cybersecurity firm Ctrl-Alt-Intel, and the fingerprints left behind suggest possible links to North Korean threat actors.
The Break-In
The attackers used multiple entry points. In some cases, they exploited React2Shell, a vulnerability in a popular web framework, scanning the internet for crypto platforms running outdated software.
In another instance, the attackers appeared to already possess valid Amazon Web Services credentials, allowing them to enter a crypto exchange’s cloud environment without triggering typical intrusion methods. How those credentials were obtained remains unknown.
The Methodical Pillage
What followed was not a smash-and-grab. It was a careful, room-by-room search of an entire digital infrastructure. The attackers combed through cloud storage buckets hunting for private keys and configuration files.
They traced through infrastructure blueprints looking for database passwords. They tested network connections, and when one database proved unreachable, they simply reconfigured it to be publicly accessible and connected anyway.
Then came the real prize. Five proprietary Docker container images, essentially the packaged source code of a live cryptocurrency exchange, were pulled and taken. Private repositories were cloned.
Application secrets and hardcoded credentials were harvested from cloud vaults, Kubernetes clusters, and live containers. One staking platform had its entire backend stripped, including a private wallet key. A small amount of cryptocurrency was transferred from the associated address shortly after.
The Trail Back to Pyongyang
Researchers were careful with their language, stopping short of a definitive accusation. But the evidence they assembled, the systematic targeting of crypto businesses, the tools used, the infrastructure patterns, and the nature of what was stolen align closely with North Korean threat actors who have spent years raiding the crypto industry to generate hard currency for a sanctions-choked regime.
To obscure their tracks, the attackers routed their activity through South Korean VPN nodes, a layer of misdirection designed to complicate exactly the kind of investigation that ultimately caught them.
Ctrl-Alt-Intel has notified affected companies. The rest of the industry has been put on notice.
Related: Crypto Activity by Sanctioned States Expands Across Global Networks
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/ctrl-alt-intel-uncovers-sophisticated-cyberattack-targeting-crypto-firms/
