Overview of the UNC4899 Campaign
A North Korean hacking group identified as UNC4899 is suspected of orchestrating an advanced cloud compromise operation targeting a cryptocurrency firm in 2025, resulting in the theft of millions in cryptocurrency assets.
Attribution of the Attack
The campaign has been assigned moderate confidence to this state-sponsored group, which is also referred to as Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. This information was detailed in Google’s H1 2026 Cloud Threat Horizons Report.
Methodology of the Attack
According to reports, the attackers exploited DevOps workflows after infiltrating the cloud environment. They used legitimate processes to extract credentials, escape container limitations, and manipulate Cloud SQL databases to facilitate the cryptocurrency heist.
Execution of the Attack
The attack commenced with social engineering tactics that misled a developer into downloading an archive file under the guise of a collaborative open-source project. This file was subsequently transferred to the company device via AirDrop.
Advancements in the Attack Pipeline
Utilizing their AI-driven Integrated Development Environment (IDE), the developer executed embedded malicious Python code, triggering a binary that posed as the Kubernetes command-line tool. This enabled the attackers to establish a backdoor into the corporate system and gain access to the Google Cloud environment, initiating an initial reconnaissance phase for gathering information on various services.
Living-off-the-Cloud Techniques
After identifying a bastion host, the attackers modified its multi-factor authentication (MFA) settings to further their reconnaissance efforts within the Kubernetes landscape. They then adopted a living-off-the-cloud strategy to install persistence mechanisms through alterations in Kubernetes deployment configurations.
Consequences and Recommendations
The attack concluded with the unauthorized withdrawal of substantial amounts in digital assets, emphasizing the vulnerabilities tied to peer-to-peer data transfers, privileged container modes, and poorly managed secrets in cloud environments. Google recommends organizations adopt comprehensive security strategies that validate identities and limit endpoint data transfers, among other precautions.
