Ctrl-Alt-Intel observed suspected DPRK-linked intrusions against cryptocurrency organizations, including staking platforms, exchange software providers, and exchange cloud tenants. The activity combined React2Shell scanning and exploitation with separate use of valid AWS tokens to enumerate S3, RDS, EC2, IAM, EKS, ECR, Lambda, and Secrets Manager. Operators searched for Kubernetes configs, private keys, secrets, Terraform state, source code, Docker images, and database credentials, then pivoted from AWS IAM into Kubernetes through EKS kubeconfig updates. Reported infrastructure and tooling included VShell C2 on port 8082, FRP reverse proxy use on port 53, and South Korean VPN nodes for origin obfuscation. The findings matter because they show cloud-native post-exploitation focused on crypto supply-chain assets and proprietary systems that could enable theft, further compromise, or operational reuse.