A digital illustration showing a hacker exploiting DevOps pipelines for cryptojacking operations.

Massive Cryptojacking Campaign Exploits DevOps APIs in 2025

Security Alerts & Warnings, Cyber News / By

Overview

A massive cryptojacking campaign exploits DevOps APIs, targeting CI/CD pipelines and cloud-native environments across the globe. Cybersecurity researchers have uncovered a sophisticated scheme in which attackers infiltrate misconfigured APIs and use compromised environments to mine cryptocurrency—silently draining computing resources from thousands of businesses.

Key Facts

  • Focus Keyword: Cryptojacking Campaign Exploits DevOps APIs
  • Attackers abuse DevOps tools like Docker, Jenkins, and GitLab CI/CD.
  • Cryptojacking malware uses open-source miners like XMRig.
  • Campaign impacts cloud-native and containerized infrastructures.
  • Targets include companies in North America, Europe, and Asia.
  • Exploits unauthenticated APIs and exposed secrets.
  • Some clusters mined Monero for over six months undetected.
  • First spotted in Q2 2025 and still ongoing.
  • Malware avoids detection by mimicking legitimate workloads.

What’s Verified and What’s Still Unclear

✅ Verified

  • Attackers use automated tools to scan for exposed DevOps APIs.
  • Infected systems run cryptominers disguised as build jobs.
  • Some IP addresses tied to known threat actor infrastructure.
  • API tokens and credentials were exfiltrated from Jenkins and GitHub repos.

❓ Still Unclear

  • The exact number of affected organizations.
  • Attribution to a specific state-sponsored or criminal group.
  • Whether data exfiltration occurred alongside mining.

Timeline of Events

  • March 2025: Researchers detect unusual CPU usage in cloud CI/CD environments.
  • April 2025: Cryptominers linked to misconfigured Jenkins and GitLab pipelines.
  • May 2025: Cloud security firms confirm this is a coordinated cryptojacking campaign.
  • June 2025: Additional reports emerge of infections via Docker API and exposed GitHub tokens.
  • June 20, 2025: Multiple cybersecurity vendors issue joint advisory.

Who’s Behind It?

While no threat actor has been definitively identified, some indicators suggest links to known cryptojacking groups like TeamTNT and WatchDog. Both groups have previously exploited cloud services, using similar TTPs (Tactics, Techniques, and Procedures). IP addresses and malware hashes show overlap with past campaigns, but attribution remains unconfirmed.

Public & Industry Response

Cloud providers, including AWS, Azure, and Google Cloud, have released alerts urging users to tighten API security. Security firms like Palo Alto Networks and Aqua Security published detection rules and forensic guidance. Social media buzz shows growing concern among DevOps professionals, who are re-evaluating their API exposure and access controls.

What Makes This Attack Unique?

What sets this cryptojacking campaign exploiting DevOps APIs apart is its stealth, scale, and speed. Instead of attacking traditional endpoints, threat actors abuse the automation backbone of the software industry: DevOps tools. By embedding cryptominers in build agents or CI/CD jobs, attackers evade conventional security monitoring. The infected environments mimic legitimate tasks, making it difficult to detect anomalous behavior.

Understanding the Basics

What is Cryptojacking?

Cryptojacking is the unauthorized use of someone’s computing power to mine cryptocurrency. It usually happens silently, without damaging data, but leads to performance degradation, high cloud costs, and potential reputational damage.

Why DevOps APIs?

APIs in DevOps tools enable automation but are often left unsecured or over-permissive. This makes them attractive entry points for attackers. DevOps APIs, if unauthenticated or exposed, can allow direct access to infrastructure controls, code repositories, and deployment agents.

What Happens Next?

With this cryptojacking campaign still active, organizations must immediately audit their DevOps pipelines and API configurations. Expect more threat intelligence reports, detection signatures, and possibly attribution as investigations continue.

Security professionals should monitor their CI/CD environments for:

  • Abnormal CPU spikes
  • New or unrecognized build jobs
  • Outbound connections to crypto mining pools
  • Unauthorized API access logs

Cloud platforms are expected to enforce stricter defaults around public API exposure, and tool vendors may introduce built-in cryptojacking detection features.

Summary

The cryptojacking campaign exploiting DevOps APIs serves as a stark reminder of the evolving attack surface in modern software development. By hijacking cloud-native pipelines, attackers can operate at scale, invisibly and efficiently. Organizations must act fast—reviewing API security, enforcing least privilege, and enabling runtime threat detection to avoid becoming part of a hacker’s mining rig.