THE Hacker News reports that the North Korean threat actor UNC4899 is suspected to be behind a sophisticated cloud compromise campaign targeting a cryptocurrency organisation in 2025 to steal millions of dollars in cryptocurrency. The activity is attributed with moderate confidence to a state-sponsored adversary also tracked under the cryptonyms Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor.
According to Google Cloud, the incident began with social engineering to persuade a developer to download an archive file, which the developer then transferred to their company device over AirDrop. Using an AI-assisted IDE, the victim opened the archive, executed embedded Python code, and launched a backdoor masquerading as the Kubernetes command-line tool, enabling initial access and reconnaissance.
The attackers then pivoted to the cloud, altered Kubernetes deployment configurations to enable persistence, and ultimately withdrew several million dollars in digital assets, with the operation exploiting P2P data transfers and other data bridges to move laterally and access Cloud SQL. The report emphasises the risks of personal-to-corporate file transfers and inadequate secrets handling in cloud environments, urging strengthened identity validation, phishing-resistant MFA, trusted images, and stricter isolation.