- Hackers tied to North Korea breached crypto firms using React2Shell and stolen AWS tokens, exposing source code and sensitive credentials.
- Attackers scanned staking platforms, stole Docker images and secrets, and mapped entire AWS environments to prepare future crypto theft.
- Investigators traced the operation to South Korean infrastructure, revealing tactics similar to past TraderTraitor crypto supply-chain attacks.
A sophisticated hacking campaign targeting cryptocurrency companies has raised global cybersecurity alarms. Security researchers revealed that attackers exploited web vulnerabilities and stolen cloud credentials to infiltrate crypto platforms and infrastructure.
The investigation reveals that the threat actors attacked the staking service, exchange software vendors, and cryptocurrency exchanges. The researchers think that the operation could be linked to North Korea’s state-sponsored hackers. The attackers exploited the React2Shell vulnerability and the valid AWS credentials, thus stealing the secrets and the proprietary software. As such, the operation could lay the ground for massive cryptocurrency thefts in the future.
Further, the investigators found that the attackers scanned the web applications that are vulnerable to the React2Shell vulnerability. The attackers targeted the crypto staking service and stole the backend source code. The investigators also found the private keys and the wallet information within the exposed configuration files.
Consequently, attackers likely accessed cryptocurrency funds stored within compromised systems. However, analysts cannot confirm whether the same threat group executed every theft discovered during the investigation.
Web Exploits and Source Code Theft
The attackers relied heavily on React2Shell exploitation to gain initial access to vulnerable servers. They scanned thousands of targets using automated scripts designed to bypass security filters. Consequently, the campaign exposed the backend code of a USDT staking platform.
Additionally, researchers found environment variables that contained sensitive wallet credentials. These included TRON wallet addresses and private keys. Analysts later observed a transaction moving 52.6 TRX shortly after the exposure. However, investigators cannot prove that the same threat actors performed the transfer.
Besides the credential exposure, the compromised servers already hosted malware deployed by unrelated attackers. Researchers found XMRig mining tools and remote management software inside the breached system. These discoveries suggest that several criminal groups exploited the same vulnerability simultaneously.
AWS Cloud Intrusion and Lateral Movement
The attackers also infiltrated a separate cryptocurrency organization through stolen AWS access tokens. They quickly validated access and began mapping the entire cloud environment. Moreover, they enumerated S3 buckets, RDS databases, EC2 instances, and Lambda functions.
Consequently, the attackers searched cloud storage for configuration files, credentials, and encryption keys. They focused heavily on Terraform state files, which often contain sensitive infrastructure secrets. These files revealed database credentials and internal system details.
Additionally, the attackers exploited AWS permissions to move into Kubernetes clusters using Amazon EKS. They then enumerated running pods and extracted container configurations. Consequently, they downloaded several Docker images that contained exchange software and internal credentials.
Secret Harvesting and Data Exfiltration
The attackers aggressively harvested secrets from AWS Secrets Manager and Kubernetes environments. They retrieved plaintext credentials and decoded base64 secrets from cluster configurations. Moreover, they accessed configuration files stored inside running containers.
Additionally, the attackers cloned private Git repositories that hosted internal exchange applications. Some stolen software included applications developed by the crypto infrastructure provider ChainUp. Analysts believe the attackers compromised a ChainUp customer rather than the vendor itself.
Consequently, the hackers extracted five container images that contained proprietary cryptocurrency exchange logic. These images also included hardcoded credentials and internal service configurations.
Infrastructure and Attribution Clues
Researchers traced the attack infrastructure to servers hosted in South Korea. The main attack server operated at IP address 64.176.226[.]36 and used the domain itemnania[.]com. Additionally, attackers accessed the system through South Korean FlyVPN nodes to mask their origin.
Moreover, investigators observed command-and-control activity using VShell and FRP tunneling tools. VShell operated on port 8082, while FRP maintained persistent access over port 53. These tools allowed attackers to manage compromised systems remotely.
Consequently, analysts see several patterns that resemble previous North Korean crypto operations. Experts note similarities with the TraderTraitor group, which previously targeted crypto supply chains. However, researchers still classify the attribution as moderate confidence due to limited direct evidence.
