- UNC4899 tricked a developer via AirDrop, pivoted to the cloud, and stole millions in cryptocurrency.
- Hackers exploited Kubernetes, altered MFA settings, and accessed sensitive databases to steal digital assets.
- North Korea-linked groups increasingly use AI malware and fake freelancers to target blockchain developers.
A North Korean threat actor, UNC4899, launched a sophisticated attack on a cryptocurrency firm in 2025, stealing millions in digital assets. The hackers tricked a developer into downloading a seemingly legitimate archive as part of an open-source collaboration.
The developer transferred it to a corporate device using AirDrop. As a result, the embedded malicious Python code executed a binary masquerading as a Kubernetes command-line tool. This backdoor enabled attackers to pivot to the cloud, harvest credentials, and manipulate critical infrastructure.
Google Cloud described the attack as a mix of “social engineering, exploitation of personal-to-corporate device peer-to-peer data transfer mechanisms, workflows, and eventual pivot to the cloud to employ living-off-the-cloud (LOTC) techniques.”
Cloud Attackers Drain Crypto via Kubernetes
Once UNC4899 got inside the system, they explored the company’s Kubernetes setup and used stolen service account tokens to gain higher-level access. They even changed multi-factor authentication settings to make entry easier. The hackers then reached sensitive parts of the system that handled network controls and customer information, including cryptocurrency wallets.
Next, they grabbed database login details stored insecurely in the system, accessed the production database, and made changes to user accounts. This included resetting passwords and updating MFA codes for high-value accounts. In the end, the attackers were able to withdraw several million dollars in digital currency.
Related: Crypto Laundering Network Used $107M in USDT to Influence Moldova Elections
UNC4899 also targeted the company’s automated development processes to stay hidden in the cloud. They planted commands in Kubernetes deployments so that every time a new pod started, it automatically downloaded a backdoor.
Google suggests that companies keep cloud environments strictly separated, limit peer-to-peer file sharing, and watch for unusual activity in containers. Additionally, organizations should use phishing-resistant multi-factor authentication and strong secrets management to reduce the risk of a breach.
Broader North Korean Cyber Activity
Other North Korea-related groups, such as Konni, are using AI-generated malware with the help of PowerShell to target blockchain developers. These attackers send malicious Discord messages with malware that can steal money and data.
Reports show that over $16.5 million went to North Korean IT workers pretending to be legitimate freelancers in 2025 alone. This shows how risky hiring practices can be and highlights the need for stronger background checks and better cybersecurity awareness.
Related: U.S. DOJ To Retry Tornado Cash Co-Founder Roman Storm This Fall
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/north-korean-hackers-exploit-dev-device-steal-millions-in-crypto/
