2025-09-15 –, Main Room
Throughout the past year, we’ve observed a coordinated and extensive effort by threat actors to exploit the free tier offerings of cloud providers. This presentation provides an in-depth analysis of the TTPs (tactics, techniques, and procedures) observed in the wild, emphasizing how adversaries systematically exploit free-tier resources, especially those with GPU or ML capabilities, for profit.
We’ll walk through the end-to-end attack lifecycle, from automated cloud account generation using browser extensions and iMacros scripts to validation, infrastructure deployment, and resale on underground marketplaces. We’ll also discuss the broader monetization ecosystem, highlighting how these actors integrate with e-commerce platforms to scale their operations.
The session will include real-world indicators, case study elements, and tooling details to help defenders recognize and disrupt similar activities in their own environments. Attendees will leave with a clearer understanding of the underground economy built around cloud abuse—and actionable insights to defend against it.
Miguel Hernández, Sr. Threat Research Engineer at Sysdig, is a lifelong learner passionate about innovation. Over the past decade, Miguel has honed his expertise in security research, leaving his mark at prominent tech companies and fostering a spirit of collaboration through personal open-source initiatives. Miguel has been a featured speaker at cybersecurity conferences across Europe, such as HITB, HIP, CCN-CERT, RootedCon, TheStandoff, and DeepSec.