Right, but if amazon disables the bucket then don’t they lose contact with all the infected hosts? And anyway, I can’t imagine expecting a recurring charge like an AWS account to last too long on a stolen CC.
Along with the apparent lack of any actual payload, it seems to point to this being some kind of proof of concept.
Bad guys have figured out there are tons of 1-year promo offers for AWS and hosting a single file stays well within the free tier. They toss a stolen card on the account to verify it, which honestly most people won't question a $1 charge then refund from Amazon.
2. It may be their bucket, but with false credentials. Stolen CC and faked contact information.