
Enterprise AI infrastructure is inheriting cloud compute’s oldest threat vector. Darktrace’s incident analysis of a June 12, 2026 compromise shows opportunistic cryptominers now targeting AI gateways through internet-facing SSH brute-force attacks — the same credential attacks that have hit exposed EC2 instances for years. AI gateway security posture is the real question raised. The compromised host held privileged access to Amazon Bedrock, AWS’s managed service for hosting foundation models, and the Identity and Access Management (IAM) permissions to call model inference APIs at scale.
How Darktrace’s LiteLLM-Proxy Instance Was Compromised
The compromised host was an AWS EC2 instance named LiteLLM-Proxy. LiteLLM is an open-source proxy that centralizes access to multiple large language models, letting organizations route requests from applications to different foundation models through a single API layer. In this deployment, the instance was internet-exposed over SSH with port 22 open to 0.0.0.0/0 — the same misconfiguration that has fueled cloud cryptomining campaigns for nearly a decade.
Darktrace, the UK-based AI cybersecurity firm, observed the attack unfold in three stages. Before the compromise, a high volume of short-lived inbound connections arrived from 145.241.123[.]102, consistent with automated SSH brute-force scanning. Once the attacker gained access, the instance began issuing a large volume of DNS requests to known cryptomining domains, followed by persistent beacon-like outbound TCP connections to those same domains. The final stage was sustained cryptomining: persistent connections to cryptocurrency mining infrastructure running on compute the attacker had already converted. Darktrace’s behavioral AI detected the network anomalies and escalated through Enhanced Monitoring and Managed Threat Detection before the activity could extend further.
Why the Attack Surface Matters More Than the Payload
Cryptomining is the least harmful outcome for an attacker who controls an AI gateway. That is the operationally consequential read of this incident — and the part the attacker’s payload choice obscures.
AI gateways like LiteLLM aggregate three classes of privileged access into a single instance. They hold the credentials required to call foundation models at scale. They carry the IAM permissions their role grants them — in this case, access to Amazon Bedrock model inference APIs. They sit upstream of every application workflow that routes AI requests through them, giving an attacker visibility into prompts, responses, and the application logic that generates both. An attacker who controls this layer does not need to compromise downstream applications. The gateway itself is the control point.
Organizations are deploying AI orchestration components — gateways, proxy layers, agent frameworks — at migration speed. The tendency is to treat these components as application tier rather than privileged access infrastructure. As we previously reported on how threat actors exploit generative AI, the deployment-to-security gap is not new. What is new is the attack surface the gap now exposes. AI gateway security requires the same hardening posture applied to production databases and identity systems — not the lighter posture applied to a web application.
The Darktrace framing presents this as a cryptomining incident. The operationally consequential framing is a lateral-movement incident that stopped early. Cryptomining generates visible DNS and TCP signatures. Credential exfiltration from the IAM role, model inference abuse, or prompt data harvesting would not generate the same signal. The next attacker with the same access may not announce themselves with mining-pool connections.
Three Controls That Raise AI Gateway Security Against Credential Attacks
The Darktrace incident points at three specific gaps where AI gateway deployments fall short of the hardening standard applied to production identity infrastructure. Each gap was present in the June 12 compromise.
Close internet-facing SSH on AI gateway instances – Port 22 open to 0.0.0.0/0 was the entry point in this incident. Replace direct SSH access with VPN or bastion-host access, enforce key-based authentication with no password fallback, and apply security groups that restrict inbound connections to known management IP ranges. The LiteLLM-Proxy instance had none of these controls when it was targeted.
Apply least-privilege IAM scoping to AI gateway roles – The IAM role attached to the compromised instance had access to Amazon Bedrock model inference APIs. Scope that access to the minimum set of models the application actually calls, with explicit deny statements blocking unused Bedrock actions and regions. An attacker who inherits overly broad IAM permissions from a compromised AI gateway can invoke foundation model APIs at scale — incurring cost, exfiltrating data, or generating content under the victim organization’s account.
Monitor AI gateway network behavior as privileged infrastructure – Darktrace detected this incident through behavioral anomaly detection on outbound connections. Log and alert on anomalous outbound DNS volume, connections to non-approved external destinations, and spikes in model inference API calls. The LiteLLM-Proxy instance generated clear network signals before the cryptomining payload ran at scale. The same EC2 instance commandeered for cryptomining on June 12 held IAM credentials to call Amazon Bedrock on the organization’s account. An unmonitored AI gateway with similar permissions may not generate a detectable signal until the billing cycle closes — and by then the data has already left. Strong AI gateway security monitoring is not optional when the instance holds cloud identity credentials.
Disclosure: this story was developed from research provided by ICR Technology on behalf of Darktrace.
Join our LinkedIn group Information Security Community!

















