Security Agency: Suspected North Korean hacker group collaborates to attack cryptocurrency companies to steal keys and cloud assets

Security research organization Ctrl-Alt-Intel disclosed that a group of hackers suspected to be linked to North Korea has targeted staking platforms, exchange software vendors, and cryptocurrency exchanges.

The attackers exploited the React2Shell vulnerability (CVE-2025-55182) and compromised cloud environments using obtained AWS access credentials, enumerating resources such as S3, EC2, RDS, EKS, and ECR, and extracting keys and credentials from Secrets Manager, Terraform files, Kubernetes configurations, and Docker containers. Researchers stated that the attackers downloaded 5 Docker images and stole source code, including components related to ChainUp clients.

The attack infrastructure involved a South Korean server 64.176.226[.]36 and the domain itemnania[.]com. The report indicated that this activity is consistent with North Korean-related attack characteristics, but the attribution confidence level is moderate, and the source of the AWS credentials remains unclear.