A sophisticated cyber assault aimed at cryptocurrency companies has become a focal point for the cybersecurity community. Evidence suggests the involvement of North Korean state-backed hackers, raising concerns about the security of digital financial assets.
The attackers executed a meticulously planned assault across various segments of the cryptocurrency supply chain, including staking platforms and exchange software providers. This breach resulted in the theft of proprietary source code, private keys, and cloud-stored secrets.
Exploitation of Vulnerabilities
This operation showcased a blend of web application exploitation and the use of stolen cloud credentials, marking it as one of the most calculated intrusions in the cryptocurrency sector in recent months.
The attackers employed two primary entry methods. In one scenario, they exploited a known vulnerability, CVE-2025-55182, in the React2Shell framework. They utilized mass scanning and WAF bypass techniques to detect exposed cryptocurrency staking platforms.
In another approach, they utilized pre-obtained valid AWS access tokens, bypassing initial exploitation and directly engaging in cloud infrastructure enumeration. These tactics indicate a level of preparation that surpasses typical opportunistic hacking, targeting organizations managing significant digital assets.
Insights from Security Research
Researchers from Ctrl-Alt-Intel uncovered both intrusion chains by examining exposed open directories over a two-week period in January 2026. They retrieved files from the attackers’ infrastructure, including shell history logs and archived source code.
This rare insight into the attackers’ environment offered clear visibility into every phase of the operation, from initial access to command-and-control setup. In one incident, the attackers extracted backend source code from a compromised staking platform, which included hardcoded private keys for Tron blockchain wallets.
Blockchain records indicated the transfer of approximately 52.6 TRX during the active exploitation period. However, it remains uncertain whether these transfers were conducted by the suspected DPRK-linked actors or other entities.
Cloud Infrastructure Breaches
The attackers also targeted Docker container images from a cryptocurrency exchange, obtaining hardcoded database credentials and proprietary exchange logic. This activity aligns with North Korea’s documented strategy of pre-positioning for large-scale cryptocurrency theft.
In the cloud-focused phase, the attackers demonstrated a structured approach to AWS exploitation. After validating stolen credentials, they conducted an extensive enumeration of EC2 instances, RDS databases, and other AWS services, searching for sensitive information.
Using advanced techniques, they accessed Kubernetes clusters, extracted ConfigMaps and Kubernetes Secrets, and exfiltrated Docker container images. The attackers used innovative methods for command-and-control, including IPv6 connections that evade traditional detection tools.
Security teams are advised to address the CVE-2025-55182 vulnerability immediately and audit all publicly accessible web applications. AWS environments should implement least-privilege IAM policies and monitor for unusual API interactions. Strict controls are necessary for Terraform state files and source code should not contain hardcoded credentials.
