A North Korean state-sponsored threat actor, UNC4899 (also known as Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor), carried out a highly targeted 2025 attack on a cryptocurrency organization, resulting in the theft of millions of dollars in digital assets, according to Google Cloud’s H1 2026 Cloud Threat Horizons Report.


Attack Overview


Initial Vector: A developer was socially engineered into downloading a malicious archive as part of a fake open-source collaboration, transferring it to a corporate device via AirDrop.


Execution: Interaction with the archive in an AI-assisted IDE ran Python code that deployed a binary masquerading as the Kubernetes CLI, establishing a backdoor.


Cloud Pivot: The attackers leveraged authenticated sessions and DevOps workflows to access the cloud, performing reconnaissance, modifying bastion host MFA policies, and altering Kubernetes deployment configurations (Living-off-the-Cloud techniques) to maintain persistence.


Privilege Escalation & Lateral Movement: High-privileged CI/CD service account tokens were stolen, enabling container escapes, backdoor deployment, and further access to sensitive pods.


Database & Financial Impact: Static database credentials were exfiltrated, giving attackers access to production databases via Cloud SQL Auth Proxy. Several high-value accounts were modified—passwords reset, MFA seeds updated—culminating in the withdrawal of millions in cryptocurrency.


Key Security Insights


Risk Factors Highlighted: Personal-to-corporate P2P file transfers, privileged container modes, and unsecured secrets in cloud environments.


Recommended Mitigations:


Phishing-resistant MFA and context-aware access controls


Strict container isolation and trusted image enforcement


Monitoring for anomalous container processes


Robust secrets management


Disabling AirDrop, Bluetooth, and unmanaged media on corporate devices


This incident illustrates the growing sophistication of state-sponsored cloud attacks, blending social engineering, endpoint compromise, and cloud-native exploitation to achieve high-value financial theft.