This post is also available in:
עברית (Hebrew)
A recently published threat report by Google Cloud has revealed a new cloud-based crypto theft technique linked to a North Korean cyber group. The group, tracked as UNC4899, is believed to be state-sponsored and has been active since at least 2020, with a focus on targeting cryptocurrency-related organizations.
According to the H2 2025 Cloud Threat Horizons report, the group successfully compromised both Google Cloud and Amazon Web Services (AWS) environments, stealing several million dollars’ worth of crypto assets from two separate victims between late 2024 and early 2025.
The attack chain started with social engineering. Posing as freelance developers, the hackers contacted employees via social platforms like Telegram. Victims were tricked into executing malicious Docker containers on their local machines—containers that helped the attackers collect sensitive authentication credentials tied to cloud accounts.
Once inside the cloud environments, the tactics diverged depending on the platform. In the Google Cloud case, the attackers identified infrastructure tied to crypto transactions and managed to disable multi-factor authentication (MFA) to avoid detection. This led to the unauthorized transfer of significant crypto holdings.
In the AWS incident, attackers encountered more robust access control policies. They worked around them using temporary credentials generated via AWS’s security token service. After establishing access and overcoming identity restrictions, they too managed to exfiltrate large amounts of cryptocurrency.
In sum, the campaign managed to steal several millions dollars’ worth of cryptocurrency. Google’s security arm, Mandiant, responded to both incidents.
To defend against similar attacks, the report recommends multiple measures. These include enforcing MFA and robust session management, improving detection capabilities across endpoints and cloud workloads, and implementing zero-trust architectures. Google also stresses the importance of protecting software development pipelines to reduce opportunities for manipulation and credential theft.
The findings underscore a growing trend: nation-state actors are adapting traditional social engineering tactics to modern cloud environments, making cloud-native security a critical component of any organization’s defensive strategy.
