The North Korea-linked threat actor UNC4899 is suspected of breaching a cryptocurrency organization in 2025 after a developer transferred a trojanized file to a work device, leading to a cloud compromise and the theft of millions of dollars in cryptocurrency. The activity was attributed with moderate confidence to the state-sponsored actor, which is also tracked as Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor.
According to the report, the intrusion began when a developer AirDropped a malicious file to a company device, giving the attackers a foothold that ultimately enabled access to the victim’s cloud environment. The compromise then progressed into a broader cloud intrusion that ended with the theft of cryptocurrency assets.
The researchers said the victim was a cryptocurrency organization and described the campaign as part of North Korea’s ongoing effort to target the sector for financial gain. The operation combined social engineering, workstation compromise, and cloud access in a sequence designed to move from an employee device to high-value assets.
The latest case adds to Cyberwarzone’s earlier coverage of crypto-focused intrusions, including the Trust Wallet browser-extension compromise that drained funds from thousands of users, and broader North Korea-linked intrusion activity such as the Lazarus remote-worker infiltration scheme.
The report said UNC4899 was linked to the incident with moderate confidence and that the compromise resulted in the theft of millions of dollars in cryptocurrency. The combination of a trojanized file, developer device access, and follow-on cloud compromise reflects a targeted intrusion chain rather than opportunistic theft.
