North Korean Hacker Group UNC4899 Breaches Cryptocurrency Firm via Developer’s AirDropped Trojanized File
March 9, 2026 — By Ravie Lakshmanan
A sophisticated cyberattack in 2025 orchestrated by the North Korean state-sponsored threat actor UNC4899 has been uncovered, targeting a cryptocurrency company with the goal of stealing millions of dollars’ worth of digital assets. The attack, detailed in the recently released H1 2026 Cloud Threat Horizons Report by Google Cloud and reported by The Hacker News, highlights a complex blend of social engineering, peer-to-peer (P2P) data transfer exploitation, and advanced cloud intrusion techniques.
The Tactics Behind the Breach
UNC4899, also known by aliases including Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor, gained initial access by exploiting trusted communication channels within the company. The attackers deceived a software developer into downloading a trojanized archive file under the guise of an open-source collaboration project. The developer then transferred this malicious file from a personal device to a corporate workstation using Apple’s AirDrop P2P file sharing feature.
Using the developer’s AI-assisted Integrated Development Environment (IDE), the malicious Python code embedded within the archive was executed. This triggered a binary disguised as Kubernetes’ command-line tool (kubectl) to run on the corporate machine. This backdoor connected to an attacker-controlled domain, establishing persistent access and enabling the threat actors to pivot from the compromised workstation into the company’s Google Cloud environment by utilizing authenticated sessions and harvested credentials.
Inside the Cloud: Exploitation and Escalation
Once inside the cloud environment, UNC4899 conducted thorough reconnaissance, uncovering a bastion host crucial for elevated access. Notably, the attackers manipulated the bastion host’s multi-factor authentication (MFA) settings to bypass its security controls. From there, they navigated Kubernetes pods, altering deployment configurations to automate the execution of malicious bash commands when new pods were created — a living-off-the-cloud (LotC) persistence technique that enabled ongoing backdoor deployments.
They further modified Kubernetes resources associated with the victim’s Continuous Integration/Continuous Deployment (CI/CD) platform to expose service account tokens via logs. Using a high-privileged CI/CD token, they escalated privileges, moved laterally throughout the network, and compromised pods responsible for network policies and load balancing. They escaped container isolation on a privileged infrastructure pod to install persistent backdoors.
Further reconnaissance led the attackers to workloads managing sensitive customer data, including user identities and cryptocurrency wallet details. Static database credentials insecurely stored in pod environment variables were stolen and abused to access production databases via the Cloud SQL Auth Proxy. The adversaries executed SQL commands to reset passwords and update MFA seeds for high-value user accounts, facilitating unauthorized withdrawals totaling several million dollars in cryptocurrency assets.
Lessons and Recommendations
Google Cloud emphasized that this incident underlines significant cybersecurity risks involving:
- Personal-to-corporate P2P Data Transfers: AirDrop and similar mechanisms pose trust challenges when bridging personal and work devices.
- Privileged Container Modes: Elevated permissions in containerized environments enable impactful lateral movement and persistence.
- Insecure Secrets Management: Storing credentials in easily accessible environment variables increases vulnerability.
To mitigate such attacks, affected organizations and the broader industry are urged to adopt a layered defense strategy incorporating:
- Strong identity verification methods and phishing-resistant multi-factor authentication (MFA)
- Strict validation of identities and rigid access controls within cloud environments
- Prohibition or restriction of peer-to-peer file sharing services such as AirDrop and Bluetooth on corporate endpoints
- Robust secrets management practices ensuring no sensitive credentials reside in pod environment variables
- Deployment of only trusted container images with continuous monitoring for anomalous processes
- Isolation of compromised nodes to prevent external communications and lateral spread within the cloud infrastructure
Conclusion
The UNC4899 campaign marrying social engineering with advanced cloud exploitation techniques illustrates the evolving threat landscape for cryptocurrency organizations and other cloud-reliant enterprises. This breach serves as a stark reminder that security controls must not only focus on network perimeters but also on endpoint hygiene, identity management, and rigorous secrets handling inside cloud-native environments.
Organizations operating in high-value sectors such as cryptocurrency are encouraged to reassess their security posture and implement defense-in-depth measures tailored to the complexities of hybrid device ecosystems and cloud workloads.
Follow The Hacker News on Google News, Twitter, and LinkedIn for more in-depth cybersecurity updates and exclusive insights.