PANews reported on March 9th that security research firm Ctrl-Alt-Intel disclosed a group of hackers, suspected to be linked to North Korea, who launched attacks against staking platforms, exchange software vendors, and cryptocurrency exchanges. The attackers exploited the React2Shell vulnerability (CVE-2025-55182) and stolen AWS credentials to infiltrate cloud environments, stealing information from S3, EC2, and other resources, and extracting keys from Secrets Manager, Terraform files, Kubernetes configurations, and Docker containers.

Hackers downloaded five Docker images and stole their source code, involving ChainUp customer software components. The attacking server is located in South Korea (64.176.226[.]36) and uses the domain itemnania[.]com. The attribution confidence is currently medium, and the source of the AWS credentials is not yet clear.