UNC4899, a North Korean state-sponsored threat actor, is suspected of a sophisticated 2025 cloud compromise that stole millions from a cryptocurrency organization. The attackers used social engineering and personal-to-corporate P2P transfers to compromise a developer, then pivoted to the cloud—abusing DevOps workflows, Kubernetes, and Cloud SQL to harvest credentials, tamper with accounts, and withdraw funds. #UNC4899 #GoogleCloud
Keypoints
- UNC4899 is attributed with a 2025 campaign that stole millions from a cryptocurrency organization.
- The attack began with social engineering and an archive file transferred from a developer’s personal device via AirDrop.
- A malicious binary disguised as the Kubernetes CLI established a backdoor that enabled pivoting into the cloud environment.
- The adversary abused DevOps workflows and modified Kubernetes deployments to harvest service-account tokens and maintain living-off-the-cloud persistence.
- Stolen credentials and insecurely stored database secrets were used via Cloud SQL Auth Proxy to alter accounts and withdraw digital assets.
Read More: https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.html