UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device
North Korean Hackers Steal Millions in Sophisticated Cloud Crypto Heist
By Ravie Lakshmanan
March 9, 2026
DevOps / Threat Intelligence
In a brazen and meticulously orchestrated cyber heist, a North Korean state-sponsored hacking group has successfully stolen millions of dollars in cryptocurrency by exploiting a sophisticated chain of vulnerabilities across personal and corporate environments. The attack, attributed with moderate confidence to the notorious threat actor UNC4899—also known as Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor—showcases the evolving sophistication of nation-state cyber operations.
The Anatomy of a High-Stakes Attack
The incident, detailed in Google Cloud’s H1 2026 Cloud Threat Horizons Report, began with a classic social engineering ploy. The attackers targeted a developer at a cryptocurrency organization, luring them into downloading what appeared to be a legitimate archive file as part of a supposed open-source project collaboration. The developer, trusting the source, transferred the file to their corporate workstation using AirDrop, a peer-to-peer (P2P) file-sharing feature.
Once on the corporate device, the malicious payload was executed within the developer’s AI-assisted Integrated Development Environment (IDE). The embedded Python code spawned a binary masquerading as the Kubernetes command-line tool, which then contacted an attacker-controlled domain and established a backdoor into the victim’s corporate machine.
From Corporate Network to Cloud Environment
With initial access secured, the attackers pivoted to the Google Cloud environment, likely leveraging authenticated sessions and available credentials. This marked the beginning of a multi-stage reconnaissance phase, during which the adversaries mapped out the victim’s cloud infrastructure, identifying key services, projects, and potential entry points.
A critical breakthrough came when the attackers discovered a bastion host—a secure gateway used to access internal networks. By modifying its multi-factor authentication (MFA) policy
,
Leave a Reply
Want to join the discussion?Feel free to contribute!