AI Gateway Connected to Amazon Bedrock Hijacked for Cryptomining

https://hackread.com/wp-content/uploads/2026/07/ai-gateway-amazon-bedrock-hijacked-cryptomining-1.jpg

An Amazon EC2 instance running LiteLLM and connected to Amazon Bedrock was compromised and used for cryptomining, according to new research from Darktrace. In this case, the mined cryptocurrency was Monero (XMR).

The company said the EC2 instance, named “LiteLLM-Proxy,” appeared to operate as an AI gateway and had an instance profile with access to Amazon Bedrock resources. That role made the host more valuable than a typical compute server because AI gateways can handle authentication, model routing, prompts, logs, policy controls, and cloud permissions.

The incident began with a familiar cloud security problem. Port 22 on the instance was open to 0.0.0.0/0, leaving SSH accessible from the public internet. Before the mining activity started, Darktrace observed a high volume of short inbound connection attempts, mainly from the IP address 145.241.123(.)102.

Many of those sessions lasted only a few seconds, which was consistent with scanning or failed login attempts. Darktrace...

Copyright of this story solely belongs to hackread.com. To see the full text click HERE

Read more