UPDATED 09:00 EDT / JULY 09 2026

SECURITY

Darktrace finds AI gateway with Amazon Bedrock access hijacked for cryptomining

Researchers at U.K.-based cybersecurity company Darktrace Holdings Ltd. today detailed a cloud intrusion in which a compromised artificial intelligence gateway tied to Amazon Web Services Inc.’s Amazon Bedrock was hijacked to mine cryptocurrency.

The compromised system was an Amazon Elastic Compute Cloud instance named “LiteLLM-Proxy” that ran the open-source LiteLLM software and carried an instance profile with access to Amazon Bedrock. In other words, it functioned as a gateway to hosted AI models while holding privileged cloud permissions.

That combination is what makes the case worth attention: The abuse itself was ordinary, but it landed on an asset sitting at the junction of cloud infrastructure, identity and AI services.

Darktrace observed activity consistent with active cryptomining from the instance on June 12. Its Enhanced Monitoring and Managed Threat Detection services caught the traffic and the company’s security operations center escalated it to the customer. The instance was shut down.

The intrusion followed a familiar cloud playbook. The instance had SSH exposed to the entire internet on port 22 and Darktrace recorded a heavy volume of short-lived inbound connection attempts from external addresses that suggested brute-force activity. None of it proved a login had succeeded. Darktrace could not name SSH as the entry point, only as a plausible one.

Then came the payload. The instance pulled 3.42 megabytes over HTTP from an external endpoint that appeared to host a ZIP archive containing XMRig, a commodity Monero miner. Darktrace had no host-level logs, so it could not confirm how the miner ran. What it could see was the timing.

Minutes later, the instance opened a connection to a mining pool over HTTPS on port 443, then another and then kept going. Darktrace read the repetition as a compromised host taking work and returning results.

Port 443 is where that traffic hides. Encrypted, running over the port every web server uses, a single connection means nothing on its own. What exposed it was the destination, the volume of connections, and the absence of anything similar elsewhere in the environment.

Recent research has highlighted AI gateways such as LiteLLM as attractive targets because they centralize credentials, model access and cloud permissions. Darktrace said it found no evidence linking the incident to publicly disclosed LiteLLM vulnerabilities.

A day later, on June 13, Darktrace flagged separate suspicious behavior from a different identity and access management user. The account attempted a “GetSendQuota” call it had not made in at least three months. It came over the AWS command-line interface from an IP address geolocated in Vietnam. The user’s activity had previously originated mostly from Amazon addresses.

The same account, working through a long-term access key, generated failed “InvokeModel” and “ListFoundationModels” calls, a sign of attempted enumeration of Amazon Bedrock. A “CreateUser” attempt followed, which Darktrace said may indicate an attempt to establish persistence. Darktrace stopped short of tying the two incidents together. The evidence was not there.

The lesson Darktrace draws is that AI infrastructure should not be carved out as its own technology stack. It runs in the cloud, it holds cloud credentials and it fails the way cloud assets have always failed. No single alert on that EC2 instance told the whole story. Piecing it together meant watching the workload and the control plane at the same time.

Sean Malone, chief information security officer at identity security provider BeyondTrust Corp., said the incident is a long-running cloud pattern wearing new branding. “Strip off the AI branding and this is a cloud intrusion pattern we’ve been watching since at least 2018: SSH open to the internet, brute-force attempts, a commodity XMRig miner and repeated connections to a mining pool,” Malone told SiliconANGLE via email. “The gateway compromise matters for one reason: blast radius. AI gateways concentrate credentials, cloud permissions and model access into a single choke point, so a routine intrusion lands on a privileged asset.”

Jason Soroko, senior fellow at certificate lifecycle management provider Sectigo Ltd., said the asset is the story, not the payload. “A LiteLLM proxy tied to Amazon Bedrock turned a routine cloud compromise into a warning about AI infrastructure,” Soroko said.

Gateways of that kind broker identity, model access, prompts, logs and policy, he added. Once one is exposed over SSH or backed by broad IAM permissions, he said, “it is no longer just another EC2 instance. It is a control point for AI operations.”

Image: Darktrace

A message from John Furrier, co-founder of SiliconANGLE:

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

  • 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
  • 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.