North Korean Hacker Tactics Unveiled
A recent analysis from Google Cloud, in conjunction with security research firm Wiz, has unveiled alarming tactics employed by North Korean hacker groups. These cybercriminals are enticing individuals with bogus freelance IT job offers to infiltrate cloud platforms and misappropriate millions of dollars in cryptocurrencies. The detailed findings, highlighted in Google Cloud’s H2 2025 Cloud Threat Horizons Report, identify a particular hacking unit under the designation UNC4899.
Compromising Security
This group has effectively compromised the security of two unnamed organizations by masquerading as potential employers on social media platforms, ultimately infecting employee workstations with malware.
Once entrenched in the systems, UNC4899 gained unauthorized access to cloud environments, extracting sensitive credential information and identifying nodes involved in cryptocurrency transactions. Despite targeting different businesses and utilizing distinct cloud services, such as Google Cloud and AWS, both incidents resulted in substantial losses, aggregating several million dollars in stolen cryptocurrency.
Deceptive Recruitment Tactics
The deceptive recruitment tactics employed by North Korean hackers are becoming increasingly prevalent, indicating an alarming level of sophistication. Jamie Collier, the Lead Threat Intelligence Advisor for Europe at the Google Threat Intelligence Group, remarked on their adeptness in posing as legitimate job recruiters, academics, or experts—a strategy that often involves multiple interactions to establish trust before executing their schemes.
He emphasized that North Korean operatives have swiftly embraced emerging technologies like artificial intelligence, utilizing them to craft convincing communications and sophisticated malicious scripts.
Broader Identity of UNC4899
Additionally, Wiz’s investigation sheds light on UNC4899’s broader identity, which also includes names like TraderTraitor, Jade Sleet, and Slow Pisces. These designations represent various cyber activities rather than specific groups, with multiple entities, such as the Lazarus Group and APT38, linked to TraderTraitor exploits.
According to Wiz, operations associated with UNC4899 date back to 2020, capitalizing on job offers to persuade employees into downloading harmful cryptocurrency applications coded in JavaScript and Node.js via the Electron framework.
Evolving Threat Landscape
The threat landscape has evolved since then, with TraderTraitor adapting its strategies in 2023 to deploy malicious open-source software and intensifying its fake job offer tactics predominantly targeting cryptocurrency exchanges. Among the significant breaches attributed to these groups is a $305 million theft from Japan’s DMM Bitcoin and a staggering $1.5 billion breach of the Bybit exchange, disclosed in February 2025.
These attacks have increasingly focused on cloud environments, a scenario highlighted by Benjamin Read, Wiz’s Director of Strategic Threat Intelligence. According to Read, the shift towards cloud-centric targeting aligns with the flow of data and wealth in the cryptocurrency industry, where nascent companies often build their infrastructure in a cloud-focused manner.
Impact of North Korean Cyber Operations
Estimates suggest that North Korea’s cryptocurrency thefts could amount to $1.6 billion in the ongoing year alone, underscoring the extent of these organized cyber operations, which seemingly draw resources from a workforce in the thousands. With substantial investment into these cyber capabilities, North Korea has emerged as a formidable force in crypto hacking, claiming responsibility for 35% of all stolen funds as of last year, based on a February report from TRM Labs.
Experts predict that North Korean hackers will continue to be a significant presence in the field, especially given their skill in innovating new hacking techniques. Collier acknowledges that North Korean cyber actors remain a dynamic entity, adapting strategies to fulfill the regime’s financial ambitions, aided by AI advancements that enhance their operational efficiency. He expressed that current intelligence suggests no sign of a slowdown in these illicit activities, anticipating further expansion in their cyber operations.
