North Korea-Linked Hackers Target Crypto Supply Chain in Coordinated Campaign
A sophisticated cyberattack campaign, attributed to North Korea-linked threat actors, has targeted multiple layers of the cryptocurrency supply chain, compromising staking platforms, exchange software providers, and exchanges themselves. The operation, uncovered in January 2026, resulted in the theft of proprietary source code, private keys, and cloud-stored secrets, marking one of the most calculated intrusions in the crypto sector in recent months.
The attackers employed two distinct intrusion methods: exploiting CVE-2025-55182, a vulnerability in the React2Shell framework, to breach crypto staking platforms, and leveraging stolen AWS access tokens to bypass initial exploitation and directly infiltrate cloud infrastructure. Researchers at Ctrl-Alt-Intel gained rare insight into the attackers’ operations after discovering exposed open directories containing shell history logs, archived source code, and tool configurations, revealing the full scope of the campaign.
Among the stolen assets were .env files containing hardcoded private keys for Tron blockchain wallets, with blockchain records showing 52.6 TRX transferred during the exploitation window though it remains unclear whether the North Korea-linked actors or another threat group executed the transfer. Additionally, compromised Docker container images from a cryptocurrency exchange contained hardcoded database credentials, internal configurations, and proprietary exchange logic, aligning with North Korea’s documented strategy of pre-positioning for large-scale crypto theft.
In the AWS-focused phase, the attackers conducted broad enumeration of EC2 instances, RDS databases, S3 buckets, Lambda functions, and EKS clusters, using grep searches to extract sensitive files like .pem, .key, and .ppk credentials. They also downloaded Terraform state files, which often store infrastructure secrets, and pivoted into Kubernetes clusters by updating kubeconfig files. Once inside, they exfiltrated ConfigMaps, Kubernetes Secrets, and Docker container images in plaintext.
For command-and-control, the threat actors deployed VShell on port 8082 and used FRP as a tunneling proxy over port 53 (DNS), evading standard network monitoring. Connections to their primary VPS were routed over IPv6, further bypassing detection tools designed for IPv4 traffic. The campaign underscores the attackers’ meticulous planning and deep access to critical crypto infrastructure.
Source: https://cybersecuritynews.com/suspected-dprk-threat-actors-compromise-crypto-firms/
Hunt Intelligence, Inc. cybersecurity rating report: https://www.rankiteo.com/company/hunt-intelligence-inc
AWS Databases & Analytics cybersecurity rating report: https://www.rankiteo.com/company/aws-databases
"id": "HUNAWS1772735373",
"linkid": "hunt-intelligence-inc, aws-databases",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Cryptocurrency',
'type': ['Crypto staking platforms',
'Exchange software providers',
'Cryptocurrency exchanges']}],
'attack_vector': ['Exploitation of CVE-2025-55182 (React2Shell framework)',
'Stolen AWS access tokens'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['.env', '.pem', '.key', '.ppk'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Proprietary source code',
'Private keys',
'Cloud-stored secrets',
'Database credentials',
'Terraform state files',
'Kubernetes Secrets',
'ConfigMaps']},
'date_detected': '2026-01',
'description': 'A sophisticated cyberattack campaign, attributed to North '
'Korea-linked threat actors, has targeted multiple layers of '
'the cryptocurrency supply chain, compromising staking '
'platforms, exchange software providers, and exchanges '
'themselves. The operation resulted in the theft of '
'proprietary source code, private keys, and cloud-stored '
'secrets, marking one of the most calculated intrusions in the '
'crypto sector in recent months.',
'impact': {'data_compromised': ['Proprietary source code',
'Private keys',
'Cloud-stored secrets',
'.env files',
'Docker container images',
'Database credentials',
'Terraform state files',
'Kubernetes Secrets',
'ConfigMaps'],
'operational_impact': 'Compromise of critical crypto '
'infrastructure and potential large-scale '
'crypto theft',
'systems_affected': ['Crypto staking platforms',
'Exchange software providers',
'Cryptocurrency exchanges',
'AWS cloud infrastructure (EC2, RDS, S3, '
'Lambda, EKS)']},
'motivation': ['Financial gain', 'Theft of cryptocurrency assets'],
'post_incident_analysis': {'root_causes': ['Exploitation of CVE-2025-55182',
'Stolen AWS access tokens',
'Exposed open directories']},
'references': [{'source': 'Ctrl-Alt-Intel'}],
'response': {'third_party_assistance': 'Ctrl-Alt-Intel'},
'threat_actor': 'North Korea-linked threat actors',
'title': 'North Korea-Linked Hackers Target Crypto Supply Chain in '
'Coordinated Campaign',
'type': ['Supply Chain Attack',
'Data Breach',
'Cloud Infrastructure Compromise'],
'vulnerability_exploited': 'CVE-2025-55182'}