UNC5174 Hackers Whitelisted Wallets and Drained an estimated USD 3.3M in Crypto From a Hong Kong Securities Firm Through a Hijacked AWS API

All client identifiers have been anonymised. Timeframes and technical findings reflect the investigation record.

‍

Containing a Multi-Cloud Intrusion and Cryptocurrency Theft by APT Actor UNC5174 at a Hong Kong-Based Securities Firm from May to August 2025

‍

CHALLENGE

A digital heist, not “just” an intrusion

This incident was discovered as money moving — not as an alert on a laptop. The firm observed suspicious wallet whitelisting through a non-standard process, followed by cryptocurrency transfers triggered through an AWS-hosted API. The immediate risk was obvious: if the attacker still had access, more funds could be siphoned at speed.

Leadership needed answers that were both fast and defensible:

• How did the attacker get into the environment?
• Which systems and credentials were compromised?
• Was the attacker limited to one server, or had they spread across platforms?
• What controls would prevent the same criminals from coming back?

Multi-cloud sprawl increased uncertainty

The attacker’s activity did not stay confined to a single machine or platform. Evidence indicated deployment of a remote backdoor across multiple servers and environments, expanding the investigation from a single incident to an ecosystem problem: who had keys, where those keys lived, and what they could reach.

When credentials and API keys are exposed, impact multiplies

Once inside, the intruder’s advantage compounds: credentials lead to more systems, and configuration artefacts can expose even more access. In this case, exposed application credentials and third-party API keys significantly increased the attacker’s ability to expand beyond the initial compromise and target higher-value services.

A second wave signalled persistence

Weeks later, follow-on activity suggested the attacker was attempting to re-establish or extend access. Even where that activity was disrupted, it increased urgency: removing a backdoor is not enough if the secrets and pathways the attacker used remain unchanged.

‍

SOLUTION

Rapid triage focused on stopping financial loss

Blackpanda’s incident responders prioritised actions that reduce immediate harm:

• Supported scoping of the compromised API pathway and associated credentials
• Guided isolation steps to cut off attacker access routes while preserving evidence
• Identified which identities and secrets needed urgent rotation (API keys, application credentials, privileged accounts)

Reconstructing the attack chain across environments

Blackpanda reconstructed the intrusion as an end-to-end narrative, separating what was provable from what was plausible:

• Initial foothold (assessed): Likely exploitation of an out-of-date job scheduler deployment used for command execution, alongside indications of perimeter exposure that increased risk of remote access and code execution
• Command and control: Deployment of Vshell backdoor variants to maintain remote control and persistence
• Credential access: Evidence of credential theft activity consistent with attackers harvesting secrets to expand reach
• Expansion: Targeting additional systems after acquiring internal service intelligence and exposed credentials from configuration artefacts

Identifying the “multiplier”: exposed application secrets

The investigation highlighted a critical escalation point: cached configuration artefacts exposed sensitive credentials (including database logins and third-party API keys). This allowed the attacker to expand impact beyond the first compromised server and reach higher-value systems more directly.

Second-wave disruption and re-entry prevention‍

Blackpanda assessed follow-on activity consistent with re-entry attempts and helped drive containment steps focused on preventing recurrence:

• Accelerated credential and key rotation plans
• Reduced the probability of repeat compromise by hardening perimeter access paths
• Strengthened monitoring and logging guidance so future anomalies are detected earlier and investigated with fewer blind spots

Hardening roadmap tied to what the criminals actually used

Recommendations were structured around breaking the attacker’s proven playbook:

• Patch and harden exposed services (especially job schedulers and management interfaces)
• Tighten firewall and VPN exposure, disable risky access pathways, and restrict inbound management access
• Adopt stronger secrets management to avoid plaintext or cached credentials in configuration artefacts
• Implement least privilege for cloud IAM, API keys, and service accounts
• Improve log retention and centralisation across cloud and critical servers to reduce investigation blind spots

For organisations that want ongoing visibility beyond a single incident, consider managed detection and response and incident response readiness. For investigation and recovery support, see digital forensics and incident response.

‍

RESULTS

A defensible timeline and scope narrative for decision-makers

The firm received a structured narrative that connected:

• Discovery of wallet whitelisting and unauthorised cryptocurrency transfers triggered through an AWS API
• The attacker’s foothold and persistence mechanisms
• How compromised secrets and configuration exposures expanded access
• The second-wave activity and why it mattered

This enabled leadership to make decisions based on evidence, not panic.

Reduced repeat-theft risk through credential and access containment

By focusing on access paths — APIs, keys, and privileged credentials — the response reduced the likelihood of further losses and re-entry using the same methods.

Clear remediation priorities that match attacker tradecraft

Rather than generic security advice, the engagement produced a practical hardening plan tied to what was actually abused: exposed services, remote access pathways, secret handling, and multi-cloud visibility.

A lesson that generalises to every cloud-connected business

Attackers do not need ransomware to inflict catastrophic business damage. If they can steal secrets and reach financial workflows, they can rob you quietly. If you need help urgently, explore ransomware response for broader incident response capability beyond encryption events.

‍

FAQ: Cryptocurrency theft, API abuse, and multi-cloud incident response

Q1. How did the attacker get initial access?‍

The investigation assessed initial access was likely enabled by an out-of-date internet-exposed service that could be abused for remote command execution, combined with perimeter exposure that increased the chance of attacker access and code execution.

Q2. Why is API abuse so dangerous in financial incidents?‍

APIs can have the privileges to move assets quickly. If attackers obtain API credentials, they can trigger legitimate-looking transactions at machine speed while blending into normal service activity.

Q3. What is Vshell, and why does it matter?

Vshell is a remote access backdoor that can provide ongoing control, persistence, and command execution. Once deployed, it turns a one-time intrusion into an ongoing risk until fully eradicated and access is re-secured.

Q4. How do attackers expand beyond the first compromised server?

Credential theft and exposed secrets are common accelerators. If application credentials or third-party API keys are stored insecurely (including in cached configuration artefacts), attackers can pivot into other systems without needing new exploits.

Q5. What are the fastest controls that reduce repeat risk after a theft event?

Rotate keys and credentials immediately, enforce least privilege for API and cloud accounts, patch and restrict exposed services, harden VPN and firewall access, and improve log retention and centralised monitoring for earlier detection.

‍

What this means for you

Financially motivated intrusions are crime stories — because they are crimes. If your organisation runs money-moving workflows through APIs, or stores sensitive application secrets where attackers can scrape them, one compromise can become a theft event before anyone realises a “breach” has happened.

Blackpanda’s incident responders help teams validate scope fast, cut off attacker access, and harden the exact routes criminals used — so the next suspicious transaction is stopped before it escalates.