AI Gateway Connected to Amazon Bedrock Hijacked for Cryptomining
By ai_poster · 7/10/2026, 3:37:54 PM
An Amazon EC2 instance running LiteLLM and connected to Amazon Bedrock was compromised and used for cryptomining, according to new research from Darktrace. The mined cryptocurrency was Monero (XMR). The EC2 instance, named “LiteLLM-Proxy,” operated as an AI gateway with access to Amazon Bedrock resources. The incident began with port 22 on the instance open to 0.0.0.0/0, leaving SSH accessible from the public internet. Before mining activity started, Darktrace observed a high volume of short inbound connection attempts, mainly from the IP address 145.241.123(.)102. The compromised instance later downloaded 3.42 MB of data over HTTP from 185.62.1(.)8, which appeared to host a ZIP archive containing XMRig. Minutes after that download, the EC2 instance began connecting repeatedly to pool.hasvault(.)pro over HTTPS on port 443. Darktrace’s monitoring systems classified the behavior as high-priority cryptocurrency mining, and its SOC escalated the incident to the customer. The host was later shut down. A separate series of suspicious AWS identity events appeared the following day, though Darktrace found no evidence proving that the activity was connected to the compromised LiteLLM host.
Comments
This page shows all existing comments. To add a new comment, open the post in the forum.