tl;dr
North Korean hacking groups, notably UNC4899, have been using fake freelance IT job offers to infiltrate cloud systems and steal millions in cryptocurrencies. They target employees via social media, install malware on workstations, and access cloud credentials to exploit crypto transaction systems a...
North Korean hacking groups have been exploiting freelance IT job offers as a ploy to infiltrate cloud systems and steal cryptocurrencies valued in the millions, according to research from Google Cloud and security firm Wiz. Google’s H2 2025 Cloud Threat Horizons Report identifies UNC4899, a North Korean hacking unit, as actively targeting companies by contacting employees on social media and assigning tasks that led to malware installation on their workstations. This malware established connections to the companies’ cloud environments, allowing UNC4899 to access credentials and identify systems processing crypto transactions, resulting in multi-million dollar crypto thefts across different cloud platforms, including Google Cloud and AWS.
Jamie Collier of Google Threat Intelligence Group emphasizes that using job lures is a widespread and sophisticated tactic among North Korean hackers, who often masquerade as recruiters, journalists, or academics and engage in prolonged communication to build trust. The adoption of AI technologies enhances their ability to craft convincing correspondence and develop malicious scripts. The cloud security firm Wiz corroborates these findings, noting that UNC4899 is also known as TraderTraitor, Jade Sleet, and Slow Pisces—names associated with North Korea-backed groups like Lazarus Group and APT38. Since 2020, these groups have used job lures to trick employees into downloading malicious crypto applications built with JavaScript and Node.js frameworks, with successful breaches including the Lazarus Group’s $620 million hack of Axie Infinity’s Ronin Network.
Wiz highlights TraderTraitor’s evolution through 2023 and 2024, progressing to the use of malicious open-source code and intensifying fake job offers targeting cryptocurrency exchanges. Notable attacks include the $305 million hack of Japan’s DMM Bitcoin and the $1.5 billion breach of Bybit, both implicating cloud infrastructure vulnerabilities. Benjamin Read of Wiz explains that cloud systems are lucrative targets due to their central role in data and transactional processes, particularly in crypto companies built with a cloud-first approach. He estimates that $1.6 billion in cryptocurrency has been stolen by these groups just in 2025 and notes the involvement of thousands of operatives under significant North Korean state investment.
The widespread success and continuous innovation in techniques have positioned North Korea as a dominant force in crypto hacking, with reports attributing 35% of all stolen funds in the previous year to the country. Experts predict that these threat actors will remain active and increasingly leverage AI for scaling attacks. Collier states that North Korean hackers’ agility and strategic adaptation show no signs of abating, forecasting ongoing expansion of their crypto-related cybercrime activities.