UNC4899 cryptocurrency cloud compromise campaign
Campaign
Summary
Hide ▲
Show ▼
The UNC4899 campaign against a cryptocurrency organization in 2025 escalated into a cloud compromise that enabled theft of millions of dollars in digital assets. The operation used social engineering and a compromised personal-to-corporate device bridge to reach the victim environment. Once inside, the attackers abused DevOps/Kubernetes workflows and Cloud SQL access to move deeper into the cloud. The case matters because it shows how a targeted intrusion can turn identity and workflow abuse into direct asset theft.
Related Happenings
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
Vulnerability
H score1
First: 16.06.2026 22:05
Last: 16.06.2026 22:05
Sources 1
About this happening:
**Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
VulnerabilityAbout this happening: **Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
Organization hit by network compromise linked to Velvet Ant
Incident
H score35
First: 13.06.2026 17:06
Last: 13.06.2026 17:06
Sources 1
About this happening:
A **target organization** suffered a **10-year authentication stack compromise** that exposed **administrative activity** inside an **isolated critical infrastructure network**. T...
Organization hit by network compromise linked to Velvet Ant
IncidentAbout this happening: A **target organization** suffered a **10-year authentication stack compromise** that exposed **administrative activity** inside an **isolated critical infrastructure network**. T...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
H score16
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
H score33
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware Activity
H score27
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware ActivityAbout this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
Timeline
-
09.03.2026 16:50 2 articles · 4mo ago
UNC4899 cryptocurrency cloud compromise campaign
Initial DisclosureThe operation began with **social engineering** that persuaded a developer to download an archive linked to a supposed open-source project. The archive moved from a personal device to a corporate workstation through **AirDrop**, and embedded code executed to create an initial backdoor.
Show sources
- UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50
- UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50