UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device

In order to steal millions of dollars in cryptocurrency, a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 is thought to have been carried out by the North Korean threat actor known as UNC4899 This article explores cloud attack chain. . The state-sponsored adversary, which is also monitored under the cryptonyms Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor, has been moderately confidently linked to the activity.

After gaining access to the cloud environment, the attackers allegedly exploited legitimate DevOps workflows to obtain credentials, escape container boundaries, and manipulate Cloud SQL databases in order to facilitate the theft of cryptocurrency.

According to Google Cloud, the attack chain is a progression that began with a developer's personal device being compromised and then moved to their corporate workstation before moving to the cloud to alter the financial logic without authorization. The threat actors first tricked the developer into downloading an archive file as part of a purported open-source project collaboration by using social engineering techniques.

"To reduce the blast radius of an intrusion event, organizations should implement a defense-in-depth strategy that strictly isolates cloud runtime environments, limits data transfer on endpoints, and rigorously validates identity." Organizations are advised to implement context-aware access and phishing-resistant MFA, make sure that only trusted images are deployed, prevent compromised nodes from establishing connectivity with external hosts, keep an eye out for unexpected container processes, adopt robust secrets management, enforce policies to disable or restrict peer-to-peer file sharing via Bluetooth or AirDrop, and mount unmanaged external media on corporate devices in order to counter the threat.