{
	"id": "22a29fdf-1f30-44ee-82aa-515f7ecc8d31",
	"created_at": "2026-04-06T00:17:59.49486Z",
	"updated_at": "2026-04-10T13:11:23.287863Z",
	"deleted_at": null,
	"sha1_hash": "773e749687b574f688ca72f507793f8315b94915",
	"title": "Google’s Vertex AI Platform Gets Freejacked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43358,
	"plain_text": "Google’s Vertex AI Platform Gets Freejacked\r\nBy Michael Clark\r\nPublished: 2023-08-14 · Archived: 2026-04-05 20:25:17 UTC\r\nThe Sysdig Threat Research Team (Sysdig TRT) recently discovered a new Freejacking campaign abusing\r\nGoogle's Vertex AI platform for cryptomining. Vertex AI is a SaaS, which makes it vulnerable to a number of\r\nattacks, such as Freejacking and account takeovers. Freejacking is the act of abusing free services, such as free\r\ntrials, for financial gain. This freejacking campaign leverages free Coursera courses that provide the attacker with\r\nno-cost access to GCP and Vertex AI. The attacker is able to generate free money while the service provider ends\r\nup footing the bill.\r\nUsing trial accounts seems inefficient on the surface, as many services require credit card checks and have other\r\nlimiting features. However, we have observed attackers heavily automate the process and use sites which generate\r\ntemporary email addresses, phone numbers, and even credit cards. CAPTCHAs are also a common defense, but\r\nwe have seen attackers automate their resolution too. If scaled up, Freejacking can be an effective way to earn\r\nmoney.\r\nIn this attack, we observed dozens of instances being created per fake account. Each fake account was created\r\nwith automation, so the attacker could have quite a few instances running. The trials themselves are often limited\r\nby time and resources, so the amount of money per instance is probably only a dollar or two for its lifetime. But\r\nwith enough scale it can be worth the effort considering the cost of living where the attacker lives. We currently\r\nbelieve the attacker in this example is from Indonesia. Importantly, as we learned with PURPLEURCHIN, $1 of\r\nprofit for an attacker can mean a $53 loss for the provider.\r\nWith AI being all the rage right now, these platforms are popping up all over the place. They are used to make\r\nmachine learning/AI easier by providing pipelines and computing infrastructure, among a lot of other niceties.\r\nPart of the offering is compute infrastructure to train the models in a scalable and high-performance manner. With\r\nthe AI gold rush occurring, teams all over the world are racing to field products, which means results first, and\r\nthen \"doing\" security somewhere down the line.\r\nThese computing resources are what attackers are after and the graphics cards (GPU's) that come with them are\r\nideal for mining cryptocurrency. GPU's have special chipsets which allow them to make calculations in a much\r\nmore parallel way compared to CPU's. This parallelism allows the cryptomining program to perform roughly 6x\r\nbetter than a similar CPU. With this kind of hardware, attackers can earn more money, more quickly.\r\nIn this attack, the attacker leverages Jupyter Notebooks provided by the Vertex AI platform in order to run their\r\nminer. It's a rather simple, but effective tactic. A Jupyter Notebook is an interactive Python-based form which\r\nallows you to easily run code and commands while formatting the output. Since it provides such easy access to the\r\ncommand line, attackers are always happy to find them.\r\nThey run a script which creates three tensorflow instances in multiple regions. Tensorflow is a popular machine\r\nlearning platform that can leverage GPU's and other specialized hardware. Next they use a custom GCP machine\r\nhttps://sysdig.com/blog/googles-vertex-ai-platform-freejacked/\r\nPage 1 of 2\n\ntype which launches a Tensorflow instance with 6 CPU's and 12GB of RAM. Tensorflow is the important aspect\r\nof the instances they are creating, as these images come with GPU's which can maximize cryptomining results.\r\ngcloud notebooks instances create tensorflow-1 --vm-image-project deeplearning-platform-release --vm-image-name\r\nsleep 5\r\ngcloud notebooks instances create tensorflow-2 --vm-image-project deeplearning-platform-release --vm-image-name\r\nsleep 5\r\ngcloud notebooks instances create tensorflow-3 --vm-image-project deeplearning-platform-release --vm-image-name\r\nsleep 5\r\nOnce the Tensorflow instances are created, the attacker pulls down their miner from a public repository and runs it\r\nas long as they can. The cryptocurrency used in this attack is called Dero, another privacy focused coin similar to\r\nMonero. These coins are designed so it is difficult to track their transactions, making it a less risky choice for the\r\nattacker. The attacker launches their miner with a command like the one below.\r\n./nodes -w deroi1qyzlxxgq2weyqlxg5u4tkng2lf5rktwanqhse2hwm577ps22zv2x2q9pvfz92xm369mdkp06lgvqf4y5cm.$(echo J6c-The IP Address in the \"nodes\" command, 149.129.237.206, is a mining pool controlled by the attacker hosted on\r\nan Alibaba server. The Dero wallet is a long unique string which is appended with an identifier (e.g. the date)\r\nwhich allows this mining instance to be considered a separate worker in the mining pool mainly for metrics. This\r\nminer will run until the users trial resources are expired.\r\nGoogle's Vertex AI is not the only AI platform vulnerable to this type of attack, any service which offers free/trial\r\ncompute can and will be used for freejacking. Either their free trials will be abused or their customers will be\r\ncompromised and used to mine cryptocurrency. The shared responsibility model of security is important here as\r\nboth the service providers and the customers need to ensure their ends are properly protected. Threat Detection\r\nand Response tools are very effective at countering cryptominers and should be used by both parties for runtime\r\nmonitoring and suspicious account logins.\r\nSource: https://sysdig.com/blog/googles-vertex-ai-platform-freejacked/\r\nhttps://sysdig.com/blog/googles-vertex-ai-platform-freejacked/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sysdig.com/blog/googles-vertex-ai-platform-freejacked/"
	],
	"report_names": [
		"googles-vertex-ai-platform-freejacked"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434679,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/773e749687b574f688ca72f507793f8315b94915.pdf",
		"text": "https://archive.orkl.eu/773e749687b574f688ca72f507793f8315b94915.txt",
		"img": "https://archive.orkl.eu/773e749687b574f688ca72f507793f8315b94915.jpg"
	}
}