North Korean Hackers Steal $1.6B in Crypto via Remote Job Scams

Generated by AI AgentCoin World
Tuesday, Aug 5, 2025 3:12 am ET2min read
Aime RobotAime Summary

- North Korea's UNC4899 (TraderTraitor) exploits remote job scams to infiltrate crypto firms, stealing $1.6B via cloud attacks since 2020.

- The group uses social engineering, fake recruitment, and malicious Docker containers to bypass security in cloud-first crypto companies.

- High-profile breaches include $305M from DMM Bitcoin (2023) and $1.5B from Bybit (2024), with stolen funds redirected through compromised AWS/S3 infrastructure.

- Researchers estimate 345-920 North Korean operatives infiltrated crypto firms by 2025, earning $16M+ in salaries while evading detection through MFA manipulation.

North Korean IT workers are allegedly exploiting remote job opportunities to infiltrate cryptocurrency firms and steal large sums of digital assets, according to recent reports from cybersecurity experts at Google Cloud and Wiz. The threat group, known as UNC4899 and also referred to as TraderTraitor, is believed to operate under North Korea’s Reconnaissance General Bureau, the nation’s primary foreign intelligence agency [1]. The group has been active since at least 2020, with a specific focus on the blockchain and cryptocurrency sectors.

UNC4899 has been linked to multiple high-profile breaches, including the $305 million hack of Japan’s DMM Bitcoin in 2023 and the $1.5 billion breach of Bybit in late 2024 [1]. The group employs sophisticated social engineering tactics and cloud-specific attack techniques, posing as freelance recruiters on platforms such as LinkedIn and Telegram to establish contact with potential victims [1]. Once a connection is made, the hackers convince employees to run malicious Docker containers on their workstations, which deploy downloaders and backdoors to connect to attacker-controlled infrastructure [1].

In one documented case, UNC4899 disabled multi-factor authentication on a privileged Google Cloud account to access wallet-related services, stole several million dollars in cryptocurrency, and then re-enabled MFA to avoid detection [1]. Another incident involved the use of stolen long-term access keys on AWS. The attackers bypassed security measures by stealing session cookies and altering JavaScript files stored in AWS S3 buckets, redirecting crypto wallet interactions to addresses controlled by the group [1].

According to reports from both Google and Wiz, cloud environments remain a key entry point for these attacks, as many crypto firms operate in cloud-first models with limited on-premise security [1]. The two firms' findings align closely, noting that UNC4899 has been known under several aliases, including Jade Sleet, Slow Pisces, and TraderTraitor, and has been associated with broader North Korean state-backed entities like Lazarus Group, BlueNoroff, and APT38 [1].

Estimates of the financial damage attributed to UNC4899 and other North Korean-linked groups vary but remain substantial. In 2024 alone, Chainalysis reported that North Korean hackers stole $1.34 billion in cryptocurrency [1]. As of mid-2025, Wiz researchers estimated that $1.6 billion in digital assets had been siphoned off by North Korea-linked threat actors [1]. Additionally, independent investigator ZachXBT has estimated that between 345 and 920 North Korean operatives may have infiltrated the crypto industry through remote job scams, earning over $16 million in salaries since the beginning of 2025 [1].

The use of remote job scams represents a shift in tactics by North Korean cyber actors, who are adapting to the digital transformation of the global workforce. As the cryptocurrency industry continues to expand its reliance on cloud infrastructure, the risk of such targeted attacks is expected to grow, underscoring the need for enhanced security protocols and employee awareness.

Source: [1] North Korean IT workers are using remote jobs to infiltrate crypto companies: report (https://coinmarketcap.com/community/articles/6891abe001aecf7f739b4bd3/)

Comments



Add a public comment...
No comments

No comments yet