North Korean IT workers are using fake identities to infiltrate crypto firms and steal millions worth of digital assets through remote job scams, cybersecurity researchers at Google Cloud and Wiz have warned.
Summary
- North Korean threat actor UNC4899 operatives are increasingly targeting crypto companies.
- Both Google Cloud and AWS environments have been exploited by the group in multi-million dollar crypto thefts.
Separate reports published by the firms have tracked UNC4899, also known as TraderTraitor, a North Korean threat group tied to the country’s military intelligence.
According to Google Cloud’s H2 2025 Cloud Threat Horizons Report, UNC4899 operates under the Reconnaissance General Bureau, North Korea’s main foreign intelligence agency.
The group has remained active since at least 2020, focusing on the blockchain and cryptocurrency sectors while leveraging advanced social engineering tactics and cloud-specific attack techniques.
How did UNC4899 infiltrate cloud environments?
Google described two separate incidents in which UNC4899 compromised employees at different organizations—one using Google Cloud, the other using AWS. In both cases, the hackers posed as freelance job recruiters and approached employees over LinkedIn or Telegram.
Once contact was established, they convinced victims to execute malicious Docker containers on their workstations, launching downloaders and backdoors that created links to attacker-controlled infrastructure.
Within days, the group moved laterally through internal networks, collected credentials, and identified infrastructure used to handle crypto transactions.
In one case, UNC4899 was able to disable multi-factor authentication on a privileged Google Cloud account to access wallet-related services. After stealing crypto worth several million dollars, they re-enabled MFA to evade detection.
In a separate AWS-related incident, the attackers used stolen long-term access keys but faced restrictions due to the victim’s enforced use of temporary credentials and MFA policies. They bypassed these defenses by stealing session cookies, which allowed them to manipulate JavaScript files stored in AWS S3 buckets.
These files were altered to redirect crypto wallet interactions to addresses controlled by the attackers, leading to another multimillion-dollar theft.
A massive operation
Cloud security firm Wiz also analyzed UNC4899 and published separate findings that align with Google’s.
Experts at Wiz noted that the group has gone by multiple aliases, including Jade Sleet, Slow Pisces, and TraderTraitor, with each referring to a broader set of tactics used by different North Korean state-backed entities such as Lazarus Group, BlueNoroff, and APT38.
UNC4899 had been active since 2020, but it wasn’t until 2023 that fake job offers became a central tactic, especially targeting employees at crypto exchanges, the firm said in a recent report.
Among the most high-profile breaches attributed to the group are the $305 million hack of Japan’s DMM Bitcoin and the $1.5 billion Bybit breach in late 2024.
Wiz warned that cloud infrastructure remains a consistent point of entry or exploitation in these attacks, as many crypto firms operate in cloud-first environments with limited on-premise defenses.
Millions in crypto lost
Estimates of the financial damage vary but remain consistently high. According to Google and Wiz, UNC4899 alone has stolen multiple millions of dollars in each incident, while broader figures compiled by private researchers and government agencies point to even larger losses.
A 2024 report from blockchain analytics firm Chainalysis found that North Korean hackers stole $1.34 billion in crypto that year alone. More recently, researchers at Wiz estimated that North Korea-linked threat actors have siphoned off $1.6 billion in digital assets in 2025 as of mid-year.
Separately, independent blockchain investigator ZachXBT has estimated that between 345 and 920 North Korean operatives may have infiltrated jobs in the crypto industry, collectively receiving over $16 million in salaries since the start of 2025.
