Skip to main content

An Amazon crypto scam left its victim with a $45,000 bill

What’s on your wish list this holiday season? We’d hazard a guess that it does not include a $45,000 bill caused by your Amazon Web Services (AWS) account getting hacked. Yet that’s exactly what happened to one unfortunate soul this December.

Jonny Platt, founder of SEO Scout, was the unlucky recipient of this most unwelcome Christmas gift. As detailed on Twitter, Platt woke up one morning to find their AWS account had been hijacked and had been mining the Monero cryptocurrency for the past several weeks. The resulting charge was that eye-watering $45,000 fee.

Cryptocurrency mining rig from computer graphic cards
Getty Images

The hack was not particularly advanced, and worked by installing a mining script that ran on the AWS Lambda platform. Every three minutes, it would install itself in a different Lambda instance and continue mining for 15 minutes at a time (the maximum allowed on Lambda). That allowed it to operate concurrently on several Lambda instances, maximizing its crypto harvesting.

At least, that’s what you would think. But it turns out that all that effort — and that enormous bill Platt was faced with — only managed to mint six XMR (the code for Monero coins). The total dollar value? A paltry $800.

Getting an $800 return on your $45,000 investment doesn’t exactly seem like a sound business plan. But when you’re getting someone else to foot the bill without them even realizing, problems like that don’t really matter.

🎄 Excited to announce I just received my Christmas present from @awscloud!

😱 Horrified to see it's $45,000 in charges due to some scammer hacking my account + mining Crypto for the last few weeks

⏰ Had no sleep last night. It's now 23 hrs since my support ticket & no reply.

— Jonny Platt (@jonnyplatt) December 14, 2021

As Platt pointed out, what’s worse is that the scam could have been easily spotted by Amazon. The mining script was an unencrypted plain text file, so all AWS needed to do was scan for certain well-known lines in its code that are used by other similar hacks — Platt gave the example of “xmrig” — to get suspicious and suspend the script. Apparently, that never happened.

In the end, it took Amazon 27 hours to reply to Platt’s complaint. Considering the incredible increase in Platt’s monthly AWS spend (150,000%, he estimates), that’s a long time to wait for help. And despite the lengthy wait time, Platt says there’s still no solution — AWS is monitoring his account for 24 hours, after which, the case will be sent to the billing department for review, which he believes can take several days. A quick fix, it ain’t.

Amazon finally called after 27 hrs, no doubt thanks to the attention this got.

The agent was kind, but AWS' processes means I must wait another 24hrs of 'monitoring' before the case is sent to billing 'for review', which can take days

Knowing I'm not alone really helps, thanks

— Jonny Platt (@jonnyplatt) December 14, 2021

If you’re an AWS customer, this whole saga should serve as a reminder to check your settings and ensure your account is secure. And it doesn’t hurt to keep an eye on your bank balance for any suspicious outgoings. As cryptocurrencies continue to grow — and GPU makers release more graphics cards aimed at miners — this kind of scam could become all too common.

Editors' Recommendations