high

Kubernetes RBAC Exploited for Cryptomining: 2,000+ Clusters Hit

Over 2,000 Kubernetes clusters compromised through RBAC misconfigurations. Attackers deploy cryptominers via default service accounts. Check your clusters now.

By Danny Mercer, CISSP — Lead Security Analyst • Mar 22, 2026 •9 views

Is your business exposed? Our McKinney-based security team can assess your risk for free.

Free Assessment 512-518-4408

Executive Summary

Aqua Security tracked a campaign compromising 2,000+ Kubernetes clusters via RBAC misconfigurations. No software vulnerability—just overprivileged service accounts granting cluster-admin access.

Technical Analysis

Attackers create backup service accounts with admin roles for persistence. Miners limit to 30% CPU during business hours and ramp up at night. Custom mining pool proxy obscures traffic. Generating ~$500K/month.

Remediation

Audit RBAC configurations. Never bind cluster-admin to default service accounts. Use namespace-scoped permissions. Check: kubectl auth can-i --list --as=system:serviceaccount:default:default