UNC4899 Exploits AirDrop to Compromise Crypto Firm's Cloud Environment

First reported

09.03.2026 16:50

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

UNC4899, a North Korean threat actor, breached a cryptocurrency firm in 2025 by exploiting an AirDrop file transfer to a developer's work device. The attackers used social engineering to deliver a trojanized file, then pivoted to the cloud environment, employing living-off-the-cloud (LOTC) techniques to steal millions in cryptocurrency. The attack involved abusing DevOps workflows, harvesting credentials, and tampering with Cloud SQL databases. The incident highlights risks associated with personal-to-corporate P2P data transfers, privileged container modes, and insecure handling of secrets in cloud environments.

Timeline

09.03.2026 16:50 1 articles · 4h ago

UNC4899 Compromises Crypto Firm via AirDrop and Cloud Environment Exploitation
In 2025, UNC4899 used social engineering to deceive a developer into downloading a trojanized file via AirDrop. The file executed a backdoor, enabling pivoting to the Google Cloud environment. The attackers abused DevOps workflows, harvested credentials, and tampered with Cloud SQL databases to steal millions in cryptocurrency. The incident highlights the risks of personal-to-corporate P2P data transfers and insecure handling of secrets in cloud environments.
Show sources

UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50
Open in new tab

Information Snippets

UNC4899, also tracked as Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor, targeted a cryptocurrency organization in 2025.
First reported: 09.03.2026 16:50

1 source, 1 article
Show sources
- UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50
The attack began with social engineering to deceive a developer into downloading a trojanized file via AirDrop.
First reported: 09.03.2026 16:50

1 source, 1 article
Show sources
- UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50
The malicious file executed a backdoor that contacted an attacker-controlled domain, enabling pivoting to the Google Cloud environment.
First reported: 09.03.2026 16:50

1 source, 1 article
Show sources
- UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50
Attackers abused DevOps workflows, harvested credentials, and tampered with Cloud SQL databases to facilitate cryptocurrency theft.
First reported: 09.03.2026 16:50

1 source, 1 article
Show sources
- UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50
UNC4899 modified Kubernetes deployment configurations to execute a bash command automatically when new pods were created.
First reported: 09.03.2026 16:50

1 source, 1 article
Show sources
- UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50
The attackers extracted static database credentials stored insecurely in environment variables and used them to access the production database.
First reported: 09.03.2026 16:50

1 source, 1 article
Show sources
- UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50
The compromised accounts were used to withdraw several million dollars in digital assets.
First reported: 09.03.2026 16:50

1 source, 1 article
Show sources
- UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device — thehackernews.com — 09.03.2026 16:50

Summary

Timeline

UNC4899 Compromises Crypto Firm via AirDrop and Cloud Environment Exploitation

Information Snippets