Why did I receive an Amazon GuardDuty CryptoCurrency:EC2/BitcoinTool.B!DNS finding type for my Amazon EC2 instance?

Last updated: 2022-07-21

Amazon GuardDuty detected a CryptoCurrency finding with my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

The GuardDuty CryptoCurrency:EC2/BitcoinTool.B!DNS finding type indicates that an Amazon EC2 instance in your AWS environment is querying a domain name. The domain name is associated with cryptocurrency-related activity such as Bitcoin mining. If you don't expect this behavior, it might be a result of unauthorized activity on your AWS account.

Resolution

If you use your EC2 instance with cryptocurrency or with blockchain activity, this finding type might be expected activity for your environment. It's a best practice to set up a suppression rule for this finding type. For more information and instructions, see CryptoCurrency:EC2/BitcoinTool.B!DNS.

If this activity is unexpected, then follow the instructions to remediate a compromised EC2 instance in your AWS environment.

For more information, see How Amazon GuardDuty uses its data sources.