Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC4899 cryptocurrency cloud compromise campaign

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The UNC4899 campaign against a cryptocurrency organization in 2025 escalated into a cloud compromise that enabled theft of millions of dollars in digital assets. The operation used social engineering and a compromised personal-to-corporate device bridge to reach the victim environment. Once inside, the attackers abused DevOps/Kubernetes workflows and Cloud SQL access to move deeper into the cloud. The case matters because it shows how a targeted intrusion can turn identity and workflow abuse into direct asset theft.

Related Happenings

Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw

Vulnerability
H score1 First: 16.06.2026 22:05 Last: 16.06.2026 22:05 Sources 1

About this happening: **Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...

Organization hit by network compromise linked to Velvet Ant

Incident
H score35 First: 13.06.2026 17:06 Last: 13.06.2026 17:06 Sources 1

About this happening: A **target organization** suffered a **10-year authentication stack compromise** that exposed **administrative activity** inside an **isolated critical infrastructure network**. T...

Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication

Technical Analysis
H score16 First: 21.05.2026 23:07 Last: 21.05.2026 23:07 Sources 1

About this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
H score33 First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

PCPJack credential theft framework worms across exposed cloud infrastructure

Malware Activity
H score27 First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...

Timeline

  1. 09.03.2026 16:50 2 articles · 4mo ago

    UNC4899 cryptocurrency cloud compromise campaign

    Initial Disclosure

    The operation began with **social engineering** that persuaded a developer to download an archive linked to a supposed open-source project. The archive moved from a personal device to a corporate workstation through **AirDrop**, and embedded code executed to create an initial backdoor.

    Show sources