Investigating Suspected DPRK-Linked Crypto Intrusions

This report details a focused campaign against multiple tiers of the cryptocurrency supply chain in which a threat actor mass-scanned and exploited React2Shell vulnerabilities and used pre-obtained AWS credentials to enumerate S3, ECR, EKS, RDS, Lambda and Secrets Manager, pivot into Kubernetes, and exfiltrate proprietary exchange source code, Docker images, and secrets. The authors provide MITRE ATT&CK mappings, IOCs (IPv4/IPv6/domain), command examples observed in logs and histories, and assess with moderate confidence a possible DPRK affiliation based on tradecraft, targeting, and infrastructure.