$45,000 AWS Crypto-Mining Hack Generates $800 of Monero

An Amazon Web Services (AWS) customer had a really bad day when they received an unsolicited $45,000 bill for renting computing power from Amazon’s cloud based servers. Further investigation showed that the customer’s account was hacked, allowing the bad actors to spin up AWS servers around the globe while running a cryptocurrency mining software for privacy-focused coin Monero.

On-demand, distributed computing services such as Microsoft’s Azure or Amazon’s Web Services are common, used by organizations and individuals for multiple purposes. However, the advent of cryptocurrencies brought about the possibility to directly exchange computing power for cryptocurrency tokens. That, in turn, has turned users’ cloud computing accounts into gold. Even if in this case, the amount of cryptocurrency actually earned was comparably pitiful compared to the costs it generated with it: 6 Monero coins worth approximately $800 were minted for a $45,000 cost.

? Excited to announce I just received my Christmas present from @awscloud!? Horrified to see it’s $45,000 in charges due to some scammer hacking my account + mining Crypto for the last few weeks Had no sleep last night. It’s now 23 hrs since my support ticket & no reply.December 14, 2021

The hack in question simply installed a known Monero mining program in each of the AWS computing resources. Every three minutes it repeated the install operation in an instance, and then kept the miner working for the maximum 15 minutes at a time that AWS allows “Lambda” functions to run. Amazon describes its support for Lambda functions as enabling users to “perform big data analysis, bulk data transformation, batch event processing, and statistical computations using longer running functions.” But clearly it can also be used for cryptocurrency mining.

Amazon finally called after 27 hrs, no doubt thanks to the attention this got.The agent was kind, but AWS’ processes means I must wait another 24hrs of ‘monitoring’ before the case is sent to billing ‘for review’, which can take daysKnowing I’m not alone really helps, thanksDecember 14, 2021

The AWS customer finally received a response from the company regarding his exorbitant $45,000 bill; after 27 hours of waiting, they informed him that his case would require a further 24 hours of “monitoring” before it was sent to the billing department for a proper review – which can then take days. It’s not unheard of for AWS or other cloud service companies to waive their fees as these cases emerge; if that’s the case here, then the user might just have to suffer the weight of that amount for a few more days. As more and more businesses and customers will start looking to offload their computational works to the cloud, though, perhaps further thought is required regarding cost control for these services.

It’s not an unheard of occurrence: developers using AWS sometimes wrongly submit their keys to GitHub – a costly mistake that enables hackers to freely reign over the account, accruing costs. There are at least four such accounts on this comment thread relating to the AWS hack.

But a hacker doesn’t need root access to an AWS account to do some damage. Not all cloud-provided services actually provide the option of setting a spending limit. Their argument isn’t wrong: should they limit activity on a pure cost basis, AWS could be cutting off a legitimate surge in demand for whatever service it’s providing for. But then, AWS sells a Machine Learning-enhanced add-on service, “Cost Anomaly Detection”, exactly to “identify anomalous spend and root causes,” so users can “quickly take action” whenever those situations arise. It somehow feels like that should be included in any customer-friendly environment.