North Korean Cybercriminals Employ Deceptive Job Ads to Infiltrate Cloud Servers, Pocketing Cryptocurrency Worth Billions
Here's a news article based on the provided bullet points:
North Korean Hacking Group UNC4899, Also Known as TraderTraitor, Steals Millions in Crypto Through Cloud Exploits
The North Korean hacking group UNC4899, also known as TraderTraitor, has been active since at least 2020 and specializes in targeting the cryptocurrency and blockchain industry globally. This group has been responsible for some of the largest crypto heists in recent years, with estimates suggesting that over $1.6 billion in cryptocurrency has been stolen so far in 2025 by TraderTraitor and related groups.
UNC4899 has been using advanced social engineering techniques, notably fake job offers and freelance recruiter identities on platforms like LinkedIn and Telegram, to trick employees into running malicious Docker containers on their workstations. This initial infiltration grants them access to sensitive cloud infrastructure, notably on Google Cloud and AWS, allowing them to steal credentials and operate laterally inside victim networks.
The group's primary attack technique involves exploiting cloud services by compromising privileged accounts, disabling multi-factor authentication temporarily to avoid detection when accessing crypto wallets or transaction services, and manipulating session cookies and JavaScript files to redirect cryptocurrency transactions to attacker-controlled wallets.
UNC4899 is linked to multiple high-profile crypto thefts totaling over $1.6 billion, including the $620 million breach of Axie Infinity's Ronin Network, the $305 million hack of Japan's DMM Bitcoin, and the $1.5 billion Bybit hack in late 2024. The group operates under North Korea’s Reconnaissance General Bureau (RGB) and is considered the most prolific North Korean hacker group targeting cryptocurrency.
The attacks leverage a combination of sophisticated social engineering to penetrate cloud-first crypto firms, exploitation of cloud computing environments and remote work setups, credential harvesting and lateral movement inside victim networks, and manipulation of cloud security controls to maintain persistence and evade detection.
The impact on the crypto industry has been severe, with billions stolen and growing awareness about the importance of cloud security, employee vigilance, and enhanced protections against insider threats and social engineering. The group’s ability to embed itself using remote job scams and the complexity of cloud environments demonstrates the evolving cybersecurity challenges within the blockchain and crypto sectors.
Google Cloud's H2 2025 Cloud Threat Horizons Report reveals that Google Threat Intelligence Group is "actively tracking" UNC4899. Experts predict that North Korean hackers are likely to remain a fixture in crypto-related hacking for some time to come, especially given their ability to develop new techniques.
[1] Benjamin Read, Wiz's Director of Strategic Threat Intelligence, stated that TraderTraitor focuses on cloud-related exploits because that is where the data and money are, especially in the crypto industry. [2] The North Korean regime is investing significant resources in these capabilities, making North Korea a leader in crypto hacking. [3] TraderTraitor represents a certain kind of threat activity, with the North Korea-backed entities Lazarus Group, APT38, BlueNoroff, and Stardust Chollima all behind typical TraderTraitor exploits. [4] UNC4899 was able to explore the victims' cloud environments, obtaining credential materials and ultimately identifying hosts responsible for processing crypto transactions. [5] The use of job lures by North Korean hackers is now "quite common and widespread," reflecting a considerable degree of sophistication. North Korean threat actors were among the first to quickly adopt new technologies such as AI, which they use to produce more convincing rapport-building emails and to write their malicious scripts. [6] The group's campaign from 2020 to 2022 "successfully breached multiple organizations," including Lazarus Group’s $620 million breach of Axie Infinity’s Ronin Network. [7] Estimates suggest that $1.6 billion in cryptocurrency has been stolen so far in 2025 by TraderTraitor and related groups. [8] UNC4899 successfully hacked two unnamed companies in separate incidents, both resulting in the theft of "several millions worth of crypto." [9] Targeting cloud technologies enables hacking groups to impact a wide range of targets, increasing the potential to make more money. [10] Google's Collier reiterated that North Korean hackers are increasingly making use of AI, which enables "force multiplication" and has allowed them to scale up their exploits. [11] TraderTraitor was responsible for the $305 million hack of Japan's DMM Bitcoin and the $1.5 billion Bybit hack in late 2024. [12] A February TRM Labs report concluded that North Korea accounted for 35% of all stolen funds last year in crypto-related hacks. [13] These hacks targeted cloud systems, and according to Wiz, such systems represent a significant vulnerability for crypto.
- Despite the reports of millions stolen in cryptocurrency by UNC4899, also known as TraderTraitor, many individuals continue to invest in cryptocurrencies like Bitcoin and Ethereum, indicating a growing faith in the industry.
- The sophistication of UNC4899's attacks, such as the use of job lures and advanced social engineering techniques, have highlighted the need for improved cybersecurity measures within the cryptocurrency and finance sectors, particularly in the realm of cloud security.
- The use of cloud services has become crucial for many crypto firms, but as demonstrated by UNC4899's exploits, these services also present a significant risk, making it essential to implement robust security measures and controls.
- The North Korean regime's substantial investment in crypto hacking capabilities, as demonstrated by groups like UNC4899, has made North Korea a significant player in the global cryptocurrency market, with potential implications for the distribution and use of cryptocurrencies like Eth, Ethereum, and ICO tokens.
- As technology continues to evolve and North Korean hacker groups like UNC4899 adopt new techniques such as AI, it is increasingly important for the crypto industry to stay vigilant and adapt their cybersecurity strategies to counter these evolving threats.
