Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC4899 cryptocurrency cloud compromise campaign

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The UNC4899 campaign against a cryptocurrency organization in 2025 escalated into a cloud compromise that enabled theft of millions of dollars in digital assets. The operation used social engineering and a compromised personal-to-corporate device bridge to reach the victim environment. Once inside, the attackers abused DevOps/Kubernetes workflows and Cloud SQL access to move deeper into the cloud. The case matters because it shows how a targeted intrusion can turn identity and workflow abuse into direct asset theft.

Related Happenings

Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication

Technical Analysis
First: 21.05.2026 23:07 Last: 21.05.2026 23:07 Sources 1

About this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...

Open Happening

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

Open Happening

PCPJack credential theft framework worms across exposed cloud infrastructure

Malware Activity
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...

Open Happening

PCPJack TeamPCP-targeting cloud credential theft campaign

Campaign
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...

Open Happening

PCPJack Linux cloud credential-theft and persistence framework

Malware Activity
First: 07.05.2026 21:35 Last: 07.05.2026 21:35 Sources 1

About this happening: The **PCPJack** malware framework is stealing credentials from **exposed Linux cloud systems**, creating a broad risk of account takeover and lateral movement. It targets services...

Open Happening

Timeline

  1. 09.03.2026 16:50 2 articles · 2mo ago

    UNC4899 cryptocurrency cloud compromise campaign

    Initial Disclosure

    The operation began with **social engineering** that persuaded a developer to download an archive linked to a supposed open-source project. The archive moved from a personal device to a corporate workstation through **AirDrop**, and embedded code executed to create an initial backdoor.

    Show sources
    Open in new tab