North Korean hackers UNC4899 weaponized AirDrop and Kubernetes to siphon millions from a crypto firm’s cloud infrastructure—a case study in how personal devices become corporate vulnerabilities.
The North Korean threat actor UNC4899 (also known as Jade Sleet, PUKCHONG, Slow Pisces, TraderTraitor) executed a multi-stage cloud breach targeting a cryptocurrency organization in 2025, stealing millions in digital assets. The tech giant noted in its (Google) H1 2026 Cloud Threat Horizons Report:
"This incident is notable for its blend of social engineering, exploitation of personal-to-corporate device peer-to-peer data (P2P) transfer mechanisms, workflows, and eventual pivot to the cloud to employ living-off-the-cloud (LOTC) techniques."
Attackers used social engineering to trick a developer into downloading a malicious archive, which was later transferred to a corporate workstation via AirDrop.
The malicious Python code embedded in the archive masqueraded as a Kubernetes CLI tool, establishing a backdoor to the corporate machine and pivoting to the Google Cloud environment.
Attackers modified Kubernetes deployment configurations to execute persistent backdoors, stole high-privileged CI/CD service account tokens, and exploited insecurely stored database credentials to access production databases.
Google advised organizations to adopt a defense-in-depth strategy, including context-aware access, phishing-resistant MFA, trusted image deployment, and disabling peer-to-peer file sharing on corporate devices. The report emphasized:
"Organizations should adopt a defense-in-depth strategy that rigorously validates identity, restricts data transfer on endpoints, and enforces strict isolation within cloud runtime environments to limit the blast radius of an intrusion event."
Source: Thehackernews