Security agency: Suspected North Korean hacker groups collaborate to attack cryptocurrency companies, stealing keys and cloud assets

BlockBeats news, on March 9, security research organization Ctrl-Alt-Intel disclosed that a group of hackers suspected to be linked to North Korea launched attacks targeting staking platforms, exchange software vendors, and crypto exchanges. The attackers exploited the React2Shell vulnerability (CVE-2025-55182) and used previously obtained AWS access credentials to infiltrate cloud environments, enumerate resources such as S3, EC2, RDS, EKS, and ECR, and extract keys and credentials from Secrets Manager, Terraform files, Kubernetes configurations, and Docker containers.

Researchers stated that the attackers downloaded five Docker images and stole source code, including software components related to ChainUp clients. The attack infrastructure involved a Korean server at 64.176.226[.]36 and the domain itemnania[.]com. The report noted that this activity is consistent with North Korean attack characteristics, but the attribution confidence is medium, and the source of the AWS credentials remains unclear.