North Korean hackers used Apple’s AirDrop feature and legitimate file transfer utilities to exfiltrate stolen cryptocurrency credentials from compromised macOS systems. That’s the core finding from a March 2026 investigation by Google’s Mandiant team, tracked under the threat group designation UNC4899. The technique is simple, effective, and difficult to detect with conventional endpoint tools. It deserves serious attention from security teams — not because it’s novel in concept, but because it shows how state-sponsored attackers are quietly abusing trusted system features that most defenders overlook entirely.
The details, first reported by The Hacker News, describe a campaign targeting cryptocurrency developers and DeFi project employees. UNC4899 — a cluster linked to North Korea’s Lazarus umbrella — gained initial access through trojanized Python packages distributed via fake job interview lures. This is a well-documented playbook. What’s new is what happened after the initial compromise.
Once inside a target’s macOS environment, the attackers didn’t rely on traditional command-and-control channels to move stolen data out. Instead, they turned to AirDrop — Apple’s peer-to-peer file sharing protocol — to transfer sensitive wallet files and credentials to nearby attacker-controlled Apple devices. They also used legitimate file transfer tools already present on the system, including curl and rsync, to send data to external infrastructure. The combination made exfiltration look like normal user activity.
This matters for a specific reason. Most enterprise detection stacks on macOS are tuned to flag suspicious network connections, unsigned binaries, or anomalous process trees. AirDrop traffic doesn’t trigger those alarms. It operates over Bluetooth Low Energy for device discovery and a proprietary Apple Wireless Direct Link (AWDL) protocol for the actual transfer. It never touches the corporate network in a way traditional monitoring would catch. So unless you’re specifically auditing AirDrop usage — and almost nobody is — the data walks right out.
The scale of losses tied to UNC4899 operations is significant. According to Chainalysis, North Korean-linked groups stole approximately $1.3 billion in cryptocurrency during 2024 alone, and the pace hasn’t slowed. The FBI attributed the $1.5 billion Bybit exchange hack in February 2025 to the TraderTraitor cluster, which overlaps substantially with UNC4899’s operations. These aren’t speculative attributions. They’re backed by on-chain forensics and corroborated by multiple intelligence agencies.
And the targeting is precise. UNC4899 doesn’t spray malware broadly. The group identifies specific developers working on DeFi protocols, approaches them through LinkedIn or Telegram with fake recruiting pitches, and delivers trojanized coding challenges. The Python packages look legitimate. They function as expected. But they contain obfuscated loaders that deploy second-stage payloads designed specifically for macOS credential harvesting.
Here’s what should concern defenders most: the post-compromise tradecraft is evolving faster than detection capabilities. Using AirDrop for exfiltration isn’t something a SIEM will flag. It’s not something EDR vendors have prioritized. Apple doesn’t provide granular enterprise logging for AirDrop transactions in its current MDM framework. You can disable AirDrop via configuration profile, and frankly, that’s the only reliable mitigation right now.
But many organizations don’t. Especially in the crypto and Web3 space, where developer culture resists restrictive device management policies. Developers want flexibility. They use personal Apple devices or lightly managed corporate machines. That cultural norm is exactly what UNC4899 exploits.
The use of curl and rsync for exfiltration is less surprising but equally instructive. These are standard Unix utilities present on every macOS installation. Blocking them isn’t practical. Detecting their misuse requires behavioral baselines — knowing what normal curl activity looks like for a given user and flagging deviations. Few organizations have that level of visibility on macOS endpoints, particularly smaller crypto firms that are UNC4899’s preferred targets.
Mandiant’s analysis, referenced in the Hacker News report, emphasized that the group’s operational security has improved markedly. They’re rotating infrastructure faster, compartmentalizing operations, and using legitimate services to blend in. The Python supply chain vector alone has been documented in multiple campaigns since 2023, as tracked by Palo Alto Networks’ Unit 42 and Microsoft Threat Intelligence.
None of this is theoretical. Real money — billions of dollars — has moved from Western crypto firms to North Korean state coffers. The U.S. Treasury’s Office of Foreign Assets Control has sanctioned multiple wallets and entities tied to these operations. The UN Panel of Experts on North Korea has documented how stolen crypto funds North Korean weapons programs. The financial and geopolitical stakes are concrete.
So what should security teams actually do? First, disable AirDrop on all managed devices where it isn’t explicitly needed. No exceptions. Second, implement allowlisting or at minimum behavioral monitoring for command-line file transfer tools on macOS. Third, treat any unsolicited recruiting outreach to developers as a potential attack vector and train staff accordingly. Fourth, deploy application-layer logging that captures outbound data transfers regardless of protocol. And fifth, assume that macOS is a first-class target — because for North Korean operators, it clearly is.
The broader lesson here isn’t about one technique. It’s about the gap between where attackers operate and where defenders focus. Most security investment still flows toward Windows and cloud infrastructure. macOS remains undertooled and undermonitored in most organizations. UNC4899 knows this. They’ve built an entire operational model around exploiting it. Until that gap closes, expect more of the same — trusted features turned into weapons, legitimate tools repurposed for theft, and billions in losses that could have been prevented with basic controls applied consistently.


WebProNews is an iEntry Publication