WOO X attributed a July 24, 2025 cryptocurrency-theft incident to suspected North Korea-linked activity, citing evidence for UNC4899 and later considering UNC4899 or UNC5565 involvement. The intrusion began when a developer accepted an open-source collaboration request, ran a malicious project on a company MacBook, and unknowingly installed a hidden backdoor. The actor used the compromised VPN session to access GCP and GKE, reconnoiter Argo CD and Apollo infrastructure, deploy malicious pods, extract Kubernetes service account and database credentials, and maintain production access. On July 24 the actor changed emails, passwords, and 2FA seeds for nine high-value accounts and initiated $14 million in unauthorized withdrawals across Bitcoin, Ethereum, BNB, and Arbitrum before WOO X contained the activity. The case reinforces the DPRK-linked pattern of combining developer social engineering with cloud and Kubernetes intrusion paths to reach cryptocurrency assets.