North Korean hacking groups are always closely tied to defaming and troubling cryptocurrencies. Most recently, it has been reported that these groups are using the lure of freelance IT work to get access to cloud systems and wipe out crypto.
According to the most recent report of Google Cloud and security firm Wiz, NK hacking groups have been posting fake IT remote jobs to lure people further, looting them in crypto.
UNC4899, also termed as TradeTraitor, a North Korean hacker group reportedly has close ties with NK military intelligence, and operates under the Reconnaissance General Bureau.
It is worth noting that ‘UNC4899’ has been tracked as active since 2020 and has actively been involved in troubling blockchain and crypto using techniques, including social engineering and cloud-specific attack techniques.
Google report underlines that during the intrusion into a victim’s Google Cloud environment, the malicious actors used stolen credentials from the victim’s host to remotely interact over Google Cloud.
UNC4899 paving the backdoor by fooling job seekers
Google Cloud’s H2 2025 Cloud Threat Horizon report notes that UNC4899 managed to compromise employees at different organizations, one of them was using Google Cloud, and the other was using Amazon Web Services.
The bad actors portrayed themselves as freelance job recruiters and reached out to employees of the companies using Telegram and LinkedIn.
Following the establishment of the connection, the members of the hacker group convinced the victims to execute malicious Docker containers on their respective workstations.
As per report this execution has led to the execution of downloaders such as GLASSCANNON and secondary payloads including the backdoor PLOTTWIST and MAZEWIRE, before finally establishing connections to actor controlled command- and- control infrastructure.
Several days after malicious actors initially contacted the victims through Telegram, UNC4899 successfully withdrew several million worth of crypto.
NK hackers wipe out over $1B in crypto every year
North Korea-linked groups of hackers, especially the state-sponsored Lazarus Group, are indeed responsible for looting over $1 billion in crypto annually.
According to the data from Chainalysis, NK hackers stole approximately $1.34 billion in 2024, accounting for 61% of all crypto thefts worldwide in 47 different theft incidents.
In 2025, the hackers linked to the DPRK were responsible for nearly $1.6 billion, mainly fueled by a record-breaking $1.5 billion hack of Bybit, a centralized crypto exchange.
Over the past few years, hackers from North Korea have continued to trouble the wider crypto market, with claims that the NK government and agencies are backing these hacker groups.
Execution-first marketing. Own every Web3 feed with Koinpr.com.
