It is a well-known fact that North Korean IT workers, with a flair for the dramatic, are now using fake identities to infiltrate crypto firms and steal millions worth of digital assets through remote job scams, according to cybersecurity researchers at Google Cloud and Wiz. Who knew that the path to riches lay in pretending to be someone else on LinkedIn? 🤷♂️
- North Korean threat actor UNC4899 operatives are increasingly targeting crypto companies, because why not?
- Both Google Cloud and AWS environments have been exploited by the group in multi-million dollar crypto thefts. It’s like robbing a bank, but without the hassle of a ski mask. 🎉
Separate reports published by the firms have tracked UNC4899, also known as TraderTraitor, a North Korean threat group tied to the country’s military intelligence. Because if you can’t beat them, join them and steal their crypto. 💸
According to Google Cloud’s H2 2025 Cloud Threat Horizons Report, UNC4899 operates under the Reconnaissance General Bureau, North Korea’s main foreign intelligence agency. It’s like a spy novel, but with more blockchain and less martinis. 🍸
The group has remained active since at least 2020, focusing on the blockchain and cryptocurrency sectors while leveraging advanced social engineering tactics and cloud-specific attack techniques. They’re basically the tech-savvy ninjas of the cyber world. 🥋
How did UNC4899 infiltrate cloud environments?
Google described two separate incidents in which UNC4899 compromised employees at different organizations-one using Google Cloud, the other using AWS. In both cases, the hackers posed as freelance job recruiters and approached employees over LinkedIn or Telegram. Because who doesn’t love a good job offer, right? 🙌
Once contact was established, they convinced victims to execute malicious Docker containers on their workstations, launching downloaders and backdoors that created links to attacker-controlled infrastructure. It’s like inviting a Trojan horse into your network, only this time, the horse has a USB drive. 🐎
Within days, the group moved laterally through internal networks, collected credentials, and identified infrastructure used to handle crypto transactions. It’s a digital heist, and they’re the masterminds. 🧠
In one case, UNC4899 was able to disable multi-factor authentication on a privileged Google Cloud account to access wallet-related services. After stealing crypto worth several million dollars, they re-enabled MFA to evade detection. It’s like robbing a safe and then politely locking it behind you. 🤭
In a separate AWS-related incident, the attackers used stolen long-term access keys but faced restrictions due to the victim’s enforced use of temporary credentials and MFA policies. They bypassed these defenses by stealing session cookies, which allowed them to manipulate JavaScript files stored in AWS S3 buckets. It’s like finding a back door when the front door is locked. 🚪
These files were altered to redirect crypto wallet interactions to addresses controlled by the attackers, leading to another multimillion-dollar theft. It’s the digital equivalent of a bank heist, minus the getaway car. 🚗
A massive operation
Cloud security firm Wiz also analyzed UNC4899 and published separate findings that align with Google’s. Experts at Wiz noted that the group has gone by multiple aliases, including Jade Sleet, Slow Pisces, and TraderTraitor, with each referring to a broader set of tactics used by different North Korean state-backed entities such as Lazarus Group, BlueNoroff, and APT38. It’s like a who’s who of cybercrime, but with a North Korean twist. 🇰🇵
UNC4899 had been active since 2020, but it wasn’t until 2023 that fake job offers became a central tactic, especially targeting employees at crypto exchanges, the firm said in a recent report. It’s like a job fair, but for the criminally inclined. 🏦
Among the most high-profile breaches attributed to the group are the $305 million hack of Japan’s DMM Bitcoin and the $1.5 billion Bybit breach in late 2024. It’s a lot of money, and a lot of trouble for a few lines of code. 💸
Wiz warned that cloud infrastructure remains a consistent point of entry or exploitation in these attacks, as many crypto firms operate in cloud-first environments with limited on-premise defenses. It’s like leaving your house unlocked and wondering why you got robbed. 🤔
Millions in crypto lost
Estimates of the financial damage vary but remain consistently high. According to Google and Wiz, UNC4899 alone has stolen multiple millions of dollars in each incident, while broader figures compiled by private researchers and government agencies point to even larger losses. It’s a lot of zeros, and a lot of headaches. 😖
A 2024 report from blockchain analytics firm Chainalysis found that North Korean hackers stole $1.34 billion in crypto that year alone. More recently, researchers at Wiz estimated that North Korea-linked threat actors have siphoned off $1.6 billion in digital assets in 2025 as of mid-year. It’s like a digital gold rush, but for the wrong reasons. 🏴☠️
Separately, independent blockchain investigator ZachXBT has estimated that between 345 and 920 North Korean operatives may have infiltrated jobs in the crypto industry, collectively receiving over $16 million in salaries since the start of 2025. It’s a living, and they’re making it work. 💼
Read More
- Meta CEO Mark Zuckerberg Just Assembled a “Super Intelligence Avengers” Team That Could Totally Change the Game in Artificial Intelligence (AI). Here’s Why That Makes Meta a “Must-Own” AI Stock.
- Gold Rate Forecast
- Prediction: This Will Be Palantir’s Stock Price in 3 Years
- Wuchang Fallen Feathers Save File Location on PC
- The Lucid-Uber Robotaxi Deal: How Nvidia Will Also Benefit
- KPop Demon Hunters Had a Kiss Scene? Makers Reveal Truth Behind Rumi and Jinu’s Love Story
- USD KZT PREDICTION
- 📢 BrownDust2 X BiliBili World 2025 Special Coupon!
- USD ILS PREDICTION
- Why Tesla Stock Plummeted 21.3% in the First Half of 2025 — and What Comes Next
2025-08-05 10:13