Security agencies: Suspected North Korean hacking group coordinates attacks on encryption companies to steal keys and cloud assets.

CoinFeed reported on March 9th that security research firm Ctrl-Alt-Intel disclosed a group of hackers, suspected to be linked to North Korea, who launched attacks against staking platforms, exchange software vendors, and cryptocurrency exchanges. The attackers exploited a React2Shell vulnerability (CVE-2025-55182) and stolen AWS credentials to infiltrate cloud environments, stealing S3, EC2, and other resource information, and extracting keys from Secrets Manager, Terraform files, Kubernetes configurations, and Docker containers. The hackers downloaded five Docker images and stole their source code, including ChainUp client software components. The attack server was located in South Korea (64.176.226[.]36) and used the domain itemnania[.]com.