An Amazon EC2 instance running LiteLLM and connected to Amazon Bedrock was compromised and used for cryptomining, according to new research from Darktrace. In this case, the mined cryptocurrency was Monero (XMR).
The company said the EC2 instance, named “LiteLLM-Proxy,” appeared to operate as an AI gateway and had an instance profile with access to Amazon Bedrock resources. That role made the host more valuable than a typical compute server because AI gateways can handle authentication, model routing, prompts, logs, policy controls, and cloud permissions.
The incident began with a familiar cloud security problem. Port 22 on the instance was open to 0.0.0.0/0, leaving SSH accessible from the public internet. Before the mining activity started, Darktrace observed a high volume of short inbound connection attempts, mainly from the IP address 145.241.123.(.)102
Many of those sessions lasted only a few seconds, which was consistent with scanning or failed login attempts. Darktrace could not confirm that an SSH login succeeded, but the exposed service, repeated connection attempts, malware download, and later mining traffic made SSH a plausible route into the host.
The compromised instance later downloaded 3.42 MB of data over HTTP from 185.62.1(.)8. Darktrace said the endpoint appeared to host a ZIP archive containing XMRig, a widely used cryptocurrency miner.
Minutes after that download, the EC2 instance began connecting repeatedly to pool.hasvault(.)pro over HTTPS on port 443. The repeated outbound traffic matched activity associated with a mining pool, where infected systems receive computational work and return results.
According to Darktrace’s technical report shared with Hackread.com ahead of publishing on Thursday, its monitoring systems classified the behavior as high-priority cryptocurrency mining, and its SOC escalated the incident to the customer. The host was later shut down.
However, the miner itself was not the most serious part of the case. The affected system appeared to sit between applications and Amazon Bedrock, giving it a role in AI access as well as ordinary cloud operations. A compromise of such a gateway could expose credentials, model permissions, prompts, logs, and connected application workflows, depending on how the environment is configured.
A separate series of suspicious AWS identity events appeared the following day, though Darktrace found no evidence proving that the activity was connected to the compromised LiteLLM host.
Jason Soroko, senior fellow at certificate lifecycle management provider Sectigo, said the incident shows why AI gateways should be treated as privileged cloud infrastructure.
“What stands out is the asset, not the miner. A LiteLLM proxy connected to Amazon Bedrock turned a routine cloud compromise into a warning about AI infrastructure,” Soroko said.
“These gateways are becoming brokers for identity, model access, prompts, logs, and policy. Organizations should close public administrative access, remove long-term keys where possible, limit IAM permissions, and monitor model activity alongside workload and control-plane events.”

