This document outlines steps for responding to a "CryptoCurrency:EC2/BitcoinTool.B!DNS" finding from Amazon GuardDuty. The finding indicates that an EC2 instance is querying a domain associated with bitcoin activity. The recommended steps are to notify the incident response team, quarantine the instance, gather data like credentials and logs, and validate that a replacement instance is working properly. The issue is considered critical and provides an escalation path if unresolved.