The North Korean hacker group UNC4899 successfully infiltrated the cloud systems of cryptocurrency asset companies by impersonating recruiters.
North Korean-backed hacker groups have elevated the art of online fraud to a whole new level by impersonating freelance IT recruiters to infiltrate the cloud systems of the cryptocurrency sector. According to the latest reports from Google Cloud and cybersecurity company Wiz, these sophisticated attacks have led to the theft of billions of dollars in cryptocurrency assets, making North Korea the leading country in cryptocurrency asset attacks.
Google Cloud's Cloud Threat Horizons report H2/2025 reveals that Google Threat Intelligence Group is actively monitoring the hacker group UNC4899, which successfully infiltrated two companies by approaching employees via social media. In both cases, UNC4899 assigned employees job tasks that led them to inadvertently run malware on their work computers, thereby establishing a connection with the target company's cloud system.
Jamie Collier, Threat Intelligence Advisor for Europe at Google Threat Intelligence Group, stated that exploiting job recruitment forms has become a highly sophisticated tactic of North Korean hacker groups. They often impersonate recruiters, journalists, academics, or university professors when contacting targets and frequently engage in multiple exchanges to build a trusting relationship with the victims.
Exploiting AI technology and attacking cloud systems
Even more concerning is that North Korean threat actors are among the first groups to quickly adopt and use artificial intelligence to create more persuasive interactive emails and program malicious code. Collier emphasized that North Korea's active use of AI helps them amplify their capabilities exponentially, thereby significantly scaling up their attack campaigns.
Wiz security company reported in detail about the activities of UNC4899, also known as TraderTraitor, Jade Sleet, and Slow Pisces. TraderTraitor is not a specific group but represents a type of threat activity, often carried out by North Korean-backed organizations such as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.
According to Wiz's analysis, the campaign began in 2020 using job recruitment bait to lure employees into downloading malicious cryptocurrency applications programmed in JavaScript and Node.js. From 2020 to 2022, this campaign successfully infiltrated many organizations, including the Lazarus Group's attack on Axie Infinity's Ronin Network, causing $620 million in damages.
Benjamin Read, Director of Strategic Intelligence at Wiz, explained that TraderTraitor focuses on exploiting vulnerabilities related to the cloud because that is where data and money are stored. This is especially true in the cryptocurrency sector, where many startups often build infrastructure with a cloud-first approach, creating weaknesses that hackers can exploit.
Notably, this group is behind the $305 million hack at Japan's DMM Bitcoin exchange, as well as the $1.5 billion attack on Bybit at the end of 2024. These groups are operating like an organized industry, with an estimated $1.6 billion in cryptocurrency assets stolen in 2025 to date.
Read stated that groups like TraderTraitor could have thousands of participants, divided into many overlapping operational groups. According to a report from TRM Labs in February 2025, North Korea accounted for up to 35% of the total stolen cryptocurrency assets in 2024, affirming their leading global position in cryptocurrency asset attacks.
Collier from Google noted that North Korean threat actors are a flexible and dynamic force, continuously adjusting to serve the strategic and financial goals of the regime. He also emphasized that there are no signs indicating they will stop, and predicts that the scale of attacks will continue to expand in the near future.
