Darktrace finds AI gateway with Amazon Bedrock access hijacked for cryptomining
What happened
Darktrace uncovered a cloud intrusion where a compromised AI gateway linked to Amazon Bedrock was hijacked to mine cryptocurrency. The gateway ran on an Amazon Elastic Compute Cloud (EC2) instance called “LiteLLM-Proxy” using open-source LiteLLM software. Attackers gained control of this proxy, which had authorized access to Amazon Bedrock, allowing them to leverage AI infrastructure for illicit cryptomining operations.
Why it matters
This breach exposes a new attack surface in AI cloud deployments. Gateways with access to managed AI services like Amazon Bedrock can be repurposed for resource-heavy tasks like cryptomining if compromised. For cloud operators and builders, it raises the stakes on securing AI infrastructure components, especially proxies or middleware that connect to native AI services. Cryptomining drives up cloud costs and strains capacity, not to mention the security risks of unauthorized access to sensitive AI resources.
What to watch next
Watch for increased scrutiny on AI gateway security and tighter controls around cloud AI service credentials. Providers and operators will need stronger authentication and monitoring for AI service access points to prevent similar hijacks. This case also points to potential regulatory interest in policing cryptocurrency mining on cloud resources due to its hidden costs and risks. Teams running hybrid AI workloads should audit exposed backend systems for cryptomining footprints and anomalous activity.
AI Quick Briefs Editorial Desk