Security research firm Ctrl-Alt-Intel has uncovered a sophisticated cyberattack campaign targeting cryptocurrency exchanges, staking platforms, and software vendors. The attackers, suspected of having links to North Korean state-sponsored groups, successfully compromised cloud environments to extract sensitive data and source code. By leveraging specific vulnerabilities in popular development frameworks, the threat actors gained unauthorized access to internal infrastructures, posing a significant risk to the broader digital asset ecosystem.
Exploitation of React2Shell and Cloud Infrastructure
The breach was initiated through the exploitation of CVE-2025-55182, a vulnerability known as React2Shell. This flaw allowed the attackers to obtain AWS access credentials, which served as the entry point into the victims' cloud environments. Once inside, the hackers conducted extensive enumeration of various Amazon Web Services (AWS) resources to map out the target's digital footprint.
- S3 and EC2: Storage buckets and virtual servers were scanned for sensitive data.
- RDS and EKS: Relational databases and managed Kubernetes clusters were targeted for deeper infiltration.
- Secrets Manager: Digital keys and administrative credentials were systematically extracted.
Theft of Source Code and ChainUp Components
Beyond data collection, the researchers noted that the attackers focused heavily on intellectual property and software supply chains. The group extracted configuration data from Terraform files and Docker containers, eventually downloading five specific Docker images. This process led to the theft of proprietary source code, including critical software components related to customers of ChainUp, a prominent blockchain technology provider. ChainUp offers white-label solutions for exchanges and liquidity providers, meaning the compromise of their components could have cascading effects across multiple platforms.
The attackers enumerated resources such as S3, EC2, RDS, EKS, and ECR, and extracted keys and credentials from Secrets Manager and Kubernetes configurations.
Attribution and Infrastructure Trace
Technical analysis of the attack infrastructure revealed a connection to a server located in South Korea at the IP address 64.176.226.24. While the physical location of the server is in the South, the tactics, techniques, and procedures (TTPs) align with known North Korean cyber operations. These groups frequently target the DeFi and exchange sectors to bypass international sanctions and generate revenue for the regime.
The discovery of this campaign underscores the evolving threats facing the blockchain industry, particularly regarding cloud security and supply chain integrity. As hackers increasingly target the underlying infrastructure of staking platforms and exchange vendors, service providers are urged to implement rigorous auditing of their AWS permissions and patch development frameworks against known exploits like React2Shell to mitigate the risk of similar intrusions.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.