Normal view

Detecting and preventing crypto mining in your AWS environment

13 May 2026 at 23:47

This article guides you on how to use Amazon GuardDuty to identify and mitigate cryptocurrency mining threats in your Amazon Web Services (AWS) environment. You’ll learn about the specialized detection capabilities of GuardDuty and best practices to build a multi-layered defense strategy that protects your infrastructure costs and security posture.

Understanding the crypto mining challenge

Crypto mining in AWS environments represents a notable security challenge that extends beyond basic resource consumption.

When threat actors gain unauthorized access to cloud resources for mining operations, organizations face multiple consequences:

  • Cost increases that can range from hundreds to thousands of dollars.
  • Performance degradation that can affect legitimate workloads.
  • Potential additional security incidents that can lead to data exposure or ransomware deployment.

The complexity of crypto mining incidents continues to evolve, with unauthorized users employing advanced techniques to evade detection while maximizing resource use. Organizations often discover these intrusions only after they experience the financial effects or when resource exhaustion affects business operations.

When crypto mining indicates broader system vulnerabilities, additional concerns arise. Unauthorized users who gain access for mining purposes can install backdoors, expose sensitive data through compromised credentials, or create pathways for lateral movement within your AWS infrastructure.

Identifying signs of crypto mining activity

Organizations must remain vigilant for several key indicators of crypto mining activities. These indicators include connections to unknown IP addresses or the use of known mining pool ports, such as 3333. Sustained high CPU or GPU usage that doesn’t align with normal business operations can also signal mining activity. Unexpected network traffic patterns, particularly spikes to unfamiliar IP addresses, also warrant investigation.

Security teams must monitor for unfamiliar processes or applications that run without authorization on their resources.

How GuardDuty detects crypto mining

GuardDuty employs advanced detection methods specifically designed to identify crypto mining activities across your AWS environment. The service uses machine learning algorithms to analyze multiple data sources. These data sources are trained on global threat data gathered by AWS, anomaly detection that establishes behavioral baselines, and integrated threat intelligence from AWS Security and partners.

GuardDuty’s crypto mining detection capabilities include several specialized finding types:

GuardDuty monitors Amazon Virtual Private Cloud (Amazon VPC) Flow Logs for suspicious network patterns and analyzes DNS queries for mining-related domains. GuardDuty also scrutinizes AWS CloudTrail events for suspicious API calls and collects workload telemetry when you turn on Runtime Monitoring. This comprehensive approach allows for detection across Amazon EC2 instances, Amazon Elastic Container Service (Amazon ECS) clusters, Kubernetes environments, and standalone containers.

When you turn on the Runtime Monitoring feature, GuardDuty deploys lightweight agents that provide deeper visibility into runtime processes and system behavior, and enables findings such as CryptoCurrency:Runtime/BitcoinTool.B and Impact:Runtime/CryptoMinerExecuted. These findings detect crypto mining software that operates within your workloads. For containerized environments, Amazon Elastic Kubernetes Service (Amazon EKS) findings can indicate when unauthorized access is potentially used for crypto mining operations.

Building multilayered protection against crypto mining

Organizations typically find that crypto mining protection benefits from multiple security layers, with the detection capabilities provided by GuardDuty forming one component of a broader security strategy. Consider turning on GuardDuty across all AWS accounts and AWS Regions through AWS Organizations. Activated Runtime Monitoring and Amazon EKS protection features provide comprehensive coverage.

The following actions can enhance GuardDuty capabilities:

  • Configure Amazon CloudWatch to monitor resource use metrics and set alarms for unusual CPU, network, or GPU usage spikes that might indicate mining activity. Implement AWS Config rules to verify that security configurations are compliant. These checks make sure that security groups don’t allow broad internet access, and that IMDSv2 is enforced.
  • Deploy AWS Network Firewall to enable granular outbound filtering and allow necessary internet connectivity while blocking access to crypto mining infrastructure.
  • Deploy AWS Systems Manager to maintain visibility into instance configurations. Inventory, a capability of Systems Manager, tracks installed applications to detect mining software. Additionally, Run Command and State Manager—capabilities of Systems Manager—enforce security policies across your fleet.
  • Create automated remediation workflows that use Amazon EventBridge and Lambda to respond immediately when GuardDuty detects crypto mining activities.

Best practices for comprehensive protection

Access management and authentication

  • To strengthen your preventive measures, implement least privilege access with AWS Identity and Access Management (IAM). For software use cases, use IAM roles inside of AWS and IAM Roles Anywhere outside of AWS instead of long-lived access keys. For human identities, centralize user management through AWS IAM Identity Center with multi-factor authentication (MFA) features, in addition to attribute-based access control for fine-grained permissions. If you don’t use Identity Center, then turn on MFA for all IAM users, including those with administrative privileges, and require MFA for sensitive operations.
  • If you can’t eliminate the use of long-lived access keys, then implement regular access key rotation policies and apply least privilege access to all IAM policies. Regularly audit IAM permissions to identify and remove excessive privileges.

System maintenance and configuration

  • Use Patch Manager, a capability of Systems Manager, to implement automated patching and maintain current Amazon Machine Images (AMIs) for all deployed EC2 instances. Establish a regular patch cadence for all systems and test patches in non-production environments before you deploy a patch.
  • Implement strict ingress rules in security groups and allow only necessary traffic. Use egress filtering to prevent unauthorized outbound connections to mining pools. Regularly audit security group configurations to make sure that the configurations meet security requirements.

Data protection

  • Use AWS Key Management Service (AWS KMS)S) to turn on encryption for all data at rest, and implement TLS for data in transit. AWS KMS uses envelope encryption by default, and protects your data keys with master keys to provide enhanced security and performance. It’s a best practice to regularly rotate encryption keys.

Benefits of comprehensive crypto mining protection

Organizations that implement these comprehensive security measures can experience the following improvements in their security posture and operational efficiency:

  • Reduced detection time: Detection times for crypto mining activities decrease from days or weeks to minutes so that teams can rapidly contain issues before significant damage occurs.
  • Automated responses: Automated response workflows reduce manual intervention requirements so that security teams can focus on strategic initiatives.
  • Cost control: These measures identify and terminate unauthorized resource consumption and prevent unexpected billing increases.
  • Performance stability: Crypto mining processes no longer monopolize CPU, memory, and network resources so that your organization can maintain application performance.
  • Enhanced visibility: The monitoring approach helps identify crypto mining and other security threats that might go unnoticed.
  • Team confidence: Security teams gain confidence through continuous monitoring and automated alerts. Teams can be secure in knowing that crypto mining attempts are promptly detected and addressed.

The implementation of preventive controls reduces the potential for initial incidents. Regular patching and configuration management further strengthen your overall security posture.

Crypto mining approval on AWS

AWS requires written approval for crypto mining activities on AWS under AWS Service Terms (Section 1.25). This requirement helps protect both your resources and the broader AWS infrastructure.

Requesting approval

AWS Trust & Safety reviews requests to help prevent mining activities from negatively affecting service performance or security. When submitting your request, include the following information:

  • Describe your mining purpose and business case.
  • Outline your infrastructure planning and cost management approach.
  • Detail your security measures to prevent unauthorized access.
  • Provide emergency contacts for rapid communication, if issues arise.
  • Specify the number of instances and type of crypto mining.

What to expect after approval

Approved mining operations must follow specific guidelines to maintain good standing. AWS monitors approved mining activities to verify that the activities don’t generate abuse reports, effect service performance, or deviate from prescribed architecture and security practices.

Important considerations

Review the following information:

  • You can’t use AWS Credits and Free Tier resources for crypto mining activities.
  • It’s essential to continuously monitor your mining resources.
  • Based on changing infrastructure conditions, AWS can adjust approvals.

This approval process distinguishes legitimate mining operations from unauthorized activities that might indicate security compromises.

Conclusion

To protect AWS environments against crypto mining, AWS Trust & Safety recommends taking a comprehensive approach that combines advanced threat detection with proactive security measures. GuardDuty provides foundational detection capabilities that help to identify crypto mining activities, while complementary AWS services create a robust security ecosystem that protects your infrastructure and data.

Security is a shared responsibility. While AWS provides powerful tools and services designed to be highly secure, your organization’s implementation of security practices and controls determines your overall protection level. Regular review and updates of your security measures, as well as team training and awareness, help maintain an effective defense against crypto mining and other security threats in your AWS environment.

If you have feedback about this post, submit comments in the Comments section below.

Jason Palmer

Jason is a Senior Technical Account Manager (TAM) at AWS Enterprise Support, based in Seattle, Washington. With over 6 years at AWS, Jason combines deep technical expertise with a genuine passion for people — helping enterprise customers transform complex challenges into scalable cloud solutions.

Nadia Mahmood

Nadia is a Trust & Safety Customer Advisor at AWS, based in Virginia. Nadia works with enterprise customers on abuse reporting and compliance, handling escalated takedown requests and strategic partnerships to reduce abuse across AWS.

Contributors

Special thanks to James Ferguson, a Principal Solutions Architect and Jeffrey Bickford, a Security Engineering Manager, who made significant contributions to this post.

Fake Pudgy World site steals your crypto passwords

17 March 2026 at 17:10

A phishing site impersonating the newly-launched Pudgy World browser game is targeting crypto users with a technique that goes well beyond a convincing logo and matching color scheme.

Pudgy World is a free-to-play browser game built around the Pudgy Penguins NFT brand. Players explore a virtual world, customize penguin avatars, and complete quests. But some features are tied to digital collectibles and in-game items stored in cryptocurrency wallets.

That means the official game sometimes asks players to connect a crypto wallet to verify ownership of items or unlock additional features. The phishing site abuses that step: When a visitor selects their wallet on this fake site, it shows what appears to be that wallet’s own unlock screen. To the user, it looks for all the world like the real crypto wallet software they already trust.

Phishing site impersonating the Pudgy World site.
Phishing site impersonating the Pudgy World site.

“Connect your wallet to get started”

The Pudgy Penguins brand has had an extraordinary few months. The penguin NFT project, revived by CEO Luca Netz after he acquired it in 2022, has steadily built one of the most convincing crossover stories in Web3: physical plush toys on Walmart and Target shelves, a mobile game called Pudgy Party that crossed a million downloads, and a browser-based game called Pudgy World that went live on 10 March 2026 to immediate viral attention.

The official game asks players to connect a crypto wallet to get started. That text: “Connect your wallet to get started” is now appearing, verbatim, on a site that has nothing to do with Pudgy Penguins.

The domain in question is pudgypengu-gamegifts[.]live. It is not affiliated with Igloo Inc., the company behind Pudgy Penguins, in any way. The site reproduces the official game’s icy background artwork, the Pudgy Penguins logo, and the brand’s characteristic blue-and-white color palette with enough fidelity that a user arriving during the excitement of a new game launch would have no obvious reason for suspicion.

Eleven wallets, eleven convincing forgeries

Selecting a wallet here triggers the fake wallet interface.
Selecting a wallet here triggers the fake wallet interface.

Clicking the CONNECT button opens a dark-themed pop-up window built to resemble the Reown WalletConnect connection kit—the open-source library that the real Pudgy World site uses to handle wallet connections. The modal even displays the “reown” and “Manual Kit” tab labels at the top, matching the genuine component.

Inside is a list of supported wallets:

MetaMask (marked “RECOMMENDED”), Trust Wallet, Coinbase Wallet, Ledger, Trezor Wallet, Phantom Wallet, Rabby Wallet, OKX Wallet, Magic Eden, Solflare, and Uniswap Wallet.

The attack becomes technically interesting at the next step.

Selecting a software wallet does not redirect the user to another page or open an external site. Instead, the page renders an overlay designed to look like the wallet’s actual browser extension unlock screen. The overlay appears at the edge of the browser viewport right where a real extension popup would appear.

Hardware wallet flows behave differently. Selecting Trezor Wallet opens a center-screen dialog mimicking the Trezor Connect interface, rather than a corner overlay. In both cases, the result is that the user believes they are looking at their own installed software, when they are in fact looking at a webpage element controlled by the attacker.

The forgery sits exactly where your real extension would

For every browser extension wallet on the list, the phishing site renders an unlock screen built to match the real extension’s own visual identity, with the correct logo, color scheme, button layout, and wording.

The screenshots below show the forgeries alongside the genuine extensions. The differences are not visible to someone who is not looking for them.

  • Fake extension
    Fake extension
  • Real extension
    Real extension
  • Fake extension
    Fake extension
  • Real extension
    Real extension

  • Fake site
    Fake extension
  • Real extension
    Real extension

Hardware wallet users are not exempt, and the targeting of Trezor is particularly telling.

Trezor devices are typically owned by people who have been in crypto long enough to invest in dedicated security hardware. In other words, users likely holding higher-value accounts.

Selecting Trezor Wallet on the phishing site triggers a dialog that closely mimics the Trezor Connect bridge interface. At the same time, the browser displays a native USB device permission prompt—the operating system’s own dialog, triggered by a WebUSB API call—reading “pudgypengu-gamegifts.live wants to connect.”

The prompt says “No compatible devices found” if no Trezor is plugged in, but the sequence is designed to look like a genuine hardware handshake.

A user who plugs in their Trezor at this point and approves the USB permission has granted the phishing site access to the device bridge.

For those without a device to hand, the dialog offers another option: “Use an alternative connection method.” That path is likely where the most damage is done. A user who cannot get the hardware flow to work and falls back to a manual option is one step away from being asked to type in their seed phrase, the master key to everything in their wallet, directly into a field the attacker controls.

“No compatible devices found.”

The page that plays dead for researchers

The phishing page is more cautious than it first appears.

Embedded in the site is an obfuscated JavaScript loader, its real contents compressed and hidden behind multiple layers of encoding, that performs a series of checks before doing anything visible.

First, it tests whether the browser is being driven by an automated tool of the kind security researchers and sandboxes use to analyse suspicious pages in bulk. If it detects one, it quietly stops and the page appears clean.

Next, it reads the graphics hardware identifier to determine whether it is running inside a virtual machine, which is another common analysis environment.

Only once it is satisfied that a real user is present does it request a second, larger payload from the attacker’s server. That payload contains the code responsible for credential theft.

Even that request contains a safeguard. If the server response is smaller than 500 KB (the kind of placeholder response a security vendor might serve to a known malicious domain), the loader discards it and does nothing.

The practical consequence of all this is that automated scanning tools are likely to rate the initial page as benign, because on their infrastructure, it behaves like one. The malicious functionality never loads unless the attacker’s server decides the visitor is worth targeting.

Why this campaign targets Pudgy players

The timing seems to be deliberate. Pudgy World launched on March 10, 2026, and the phishing campaign appears to have been active around the same window. New players arriving at the game for the first time are walking through a Web3 onboarding flow they have never experienced before.

The legitimate “connect your wallet” step on the official site teaches users that this behaviour is normal. The phishing site then exploits that expectation before experience can challenge it.

The range of wallets targeted is also significant. The campaign leaves almost no wallet blind spot. Whether the victim holds Ethereum, Solana, or multi-chain assets, there is a convincing forgery waiting for them. Building 11 wallet-specific UI forgeries is not a trivial undertaking. It points either to a well-resourced threat actor or, more likely, to the reuse of a commercial phishing kit built for precisely this class of attack.

What to do if you may have been affected

Crypto phishing campaigns have long relied on fake airdrops and fake MetaMask pages. This campaign stands out for how precisely it imitates a wallet’s unlock screen, placing the prompt exactly where a real extension pop-up would appear and exploiting users’ muscle memory.

The attack also piggybacks on Pudgy World’s launch. As Web3 products reach wider audiences, they attract attackers targeting users unfamiliar with wallet security.

One rule still holds: a website can never display your real browser extension unlock screen.

  • If you entered your MetaMask, Coinbase Wallet, or any other software wallet password on this site, change your password immediately by unlocking the extension normally and going to Settings. Consider transferring assets to a new wallet address whose seed phrase has never been used on any website.
  • If you approved the USB device permission prompt for Trezor, disconnect your device and review your Trezor Suite connection history. A WebUSB connection alone does not expose your seed phrase, but it can allow a malicious page to communicate with the bridge. Revoke the permission in your browser’s site settings immediately.
  • Bookmark the official Pudgy Penguins site (pudgypenguins.com) and the official game URL. Navigate to it directly from that bookmark, never from a link in Discord, Twitter, or a direct message.
  • Install a browser extension that flags known phishing domains before you interact with them. Malwarebytes Browser Guard will block this domain.
  • Remind yourself of this rule: your wallet’s unlock screen always appears in the bar at the very top of the window, not inside the page itself. Any page that appears to show you your wallet’s password prompt inside the page content is a phishing site.

Indicators of Compromise (IOCs)

Domains

  • pudgypengu-gamegifts[.]live

The Whitelist Illusion – When Your Trusted List Becomes a Billion Dollar Attack Path

4 March 2026 at 13:00

Your whitelist is not a wall. For nation-state attackers, it’s a map, showing exactly who to compromise to get to your assets. $1,788,000,000 STOLEN FROM INSTITUTIONS WITH WHITELISTS, MULTISIGS, AND HARDWARE WALLETS IN PLACE TL;DR When you hold significant assets on a public blockchain, nation-state groups will target you – not if, but when Your whitelist tells attackers exactly which vendors and counterparties to compromise to reach your funds Bybit ($1.5B), WazirX ($235M), and Radiant ($53M) all had whitelists. All were drained through whitelisted entities The correct assumption: every whitelisted address is potentially compromised. Trust must be verified in real […]

The post The Whitelist Illusion – When Your Trusted List Becomes a Billion Dollar Attack Path appeared first on Check Point Blog.

❌