North Korea-Linked Hackers Target Crypto Supply Chain in Coordinated Campaign A sophisticated cyberattack campaign, attributed to North Korea-linked threat actors, has targeted multiple layers of the cryptocurrency supply chain, compromising staking platforms, exchange software providers, and exchanges themselves. The operation, uncovered in January 2026, resulted in the theft of proprietary source code, private keys, and cloud-stored secrets, marking one of the most calculated intrusions in the crypto sector in recent months. The attackers employed two distinct intrusion methods: exploiting CVE-2025-55182, a vulnerability in the React2Shell framework, to breach crypto staking platforms, and leveraging stolen AWS access tokens to bypass initial exploitation and directly infiltrate cloud infrastructure. Researchers at Ctrl-Alt-Intel gained rare insight into the attackers’ operations after discovering exposed open directories containing shell history logs, archived source code, and tool configurations, revealing the full scope of the campaign. Among the stolen assets were .env files containing hardcoded private keys for Tron blockchain wallets, with blockchain records showing 52.6 TRX transferred during the exploitation window though it remains unclear whether the North Korea-linked actors or another threat group executed the transfer. Additionally, compromised Docker container images from a cryptocurrency exchange contained hardcoded database credentials, internal configurations, and proprietary exchange logic, aligning with North Korea’s documented strategy of pre-positioning for large-scale crypto theft. In the AWS-focused phase, the attackers conducted broad enumeration of EC2 instances, RDS databases, S3 buckets, Lambda functions, and EKS clusters, using grep searches to extract sensitive files like .pem, .key, and .ppk credentials. They also downloaded Terraform state files, which often store infrastructure secrets, and pivoted into Kubernetes clusters by updating kubeconfig files. Once inside, they exfiltrated ConfigMaps, Kubernetes Secrets, and Docker container images in plaintext. For command-and-control, the threat actors deployed VShell on port 8082 and used FRP as a tunneling proxy over port 53 (DNS), evading standard network monitoring. Connections to their primary VPS were routed over IPv6, further bypassing detection tools designed for IPv4 traffic. The campaign underscores the attackers’ meticulous planning and deep access to critical crypto infrastructure.