A North Korean threat actor, UNC4899, launched a sophisticated attack on a cryptocurrency firm in 2025, stealing millions in digital assets. The hackers tricked a developer into downloading a seemingly legitimate archive as part of an open-source collaboration.
The developer transferred it to a corporate device using AirDrop. As a result, the embedded malicious Python code executed a binary masquerading as a Kubernetes command-line tool. This backdoor enabled attackers to pivot to the cloud, harvest credentials, and manipulate critical infrastructure.
Google Cloud described the attack as a mix of “social engineering, exploitation of personal-to-corporate device peer-to-peer data transfer mechanisms, workflows, and eventual pivot to the cloud to employ living-off-the-cloud (LOTC) techniques.”
https://coinedition.com/north-korean-hackers-exploit-dev-device-steal-millions-in-crypto/
Posted by Green_Candler