North Korean threat actor UNC4899 (Jade Sleet, PUKCHONG, Slow Pisces, TraderTraitor) compromised a cryptocurrency organization in 2025. The attack began with social engineering to trick a developer into downloading a malicious file, which was then AirDropped to a corporate device. The attackers exploited DevOps workflows, harvested credentials, tampered with Cloud SQL databases, and ultimately stole millions of dollars in cryptocurrency.
Initial Access
Deceptive Download Lure
confirmed
Threat actors used social engineering tactics to deceive a developer into downloading a malicious archive file, disguised as part of a legitimate software update or project from a third-party source.
Defender cut points
User awareness trainingEmail filteringWeb content filteringEndpoint detection and response (EDR)
