North Korean Hackers Steal $1.6B via Fake Job Offers and Cloud Breaches

Generated by AI AgentCoin World
Monday, Aug 4, 2025 8:31 pm ET2min read
Aime RobotAime Summary

- North Korea-backed hackers use fake IT job offers to infiltrate cloud systems and steal cryptocurrencies via malware-laced tasks assigned to employees.

- UNC4899 (TraderTraitor) exploits social engineering, AI tools, and cloud vulnerabilities to breach exchanges like DMM Bitcoin and Bybit, stealing $1.6B in 2025 alone.

- The regime's strategic investment in overlapping hacking groups enables rapid expansion, with 35% of global crypto theft attributed to North Korea in 2024.

- Experts warn AI-driven tactics and workforce scale ensure continued dominance in crypto hacking, with cloud-first infrastructure amplifying attack potential.

North Korean hacking groups are increasingly leveraging fake IT job offers as a method to infiltrate cloud systems and steal cryptocurrencies, according to new research from Google Cloud and security firm Wiz. The UNC4899 group, which is believed to be North Korea-backed, has successfully breached two companies after reaching out to employees through social media platforms. In both cases, the hackers assigned tasks that led employees to run malware on their workstations, establishing connections between the attackers' command-and-control centers and the victims’ cloud systems [1]. This allowed UNC4899 to explore the cloud environments, extract credentials, and identify hosts responsible for cryptocurrency transactions [2].

This tactic of using job lures is now described as “quite common and widespread” by Jamie Collier, Lead Threat Intelligence Advisor for Europe at Google Threat Intelligence Group. North Korean hackers often pose as recruiters, journalists, or industry experts, building trust with targets through repeated communication [3]. The groups have also quickly adopted new technologies such as AI to improve their deceptive tactics and script development [4].

Wiz also analyzed UNC4899’s activities, noting that the group is alternatively known as TraderTraitor, Jade Sleet, and Slow Pisces. These names represent different aspects of the threat rather than distinct groups. Several North Korea-backed hacking units—including Lazarus Group, APT38, BlueNoroff, and Stardust Chollima—are associated with the TraderTraitor campaigns [5]. These operations have evolved significantly since 2020, with the initial attacks using job lures to trick employees into installing malicious crypto apps written in JavaScript and Node.js using the Electron framework [6].

Between 2020 and 2022, these campaigns successfully breached multiple organizations. Notably, the Lazarus Group was linked to a $620 million hack of Axie Infinity’s Ronin Network. In 2023, the tactics expanded to include malicious open-source code, and by 2024, the groups doubled down on fake job offers, primarily targeting cryptocurrency exchanges [7]. The DMM Bitcoin hack in Japan and the $1.5 billion Bybit breach in late 2024 are among the most significant attacks attributed to these groups [8].

The focus on cloud systems is a strategic move, as these platforms house critical data and financial assets. Benjamin Read, Director of Strategic Threat Intelligence at Wiz, explained that cloud environments are particularly vulnerable in the crypto industry, where companies often build infrastructure in a cloud-first manner [9]. This allows hackers to affect a broad range of targets, maximizing their potential for financial gain.

According to Wiz, the total amount of cryptocurrency stolen by these groups in 2025 is estimated to be $1.6 billion. The scale of these operations is supported by large workforces—likely in the thousands—across overlapping groups [10]. Analysts suggest that the North Korean regime is pouring significant resources into these capabilities, enabling the country to become a dominant force in crypto-related hacking. A TRM Labs report from February 2025 noted that North Korea accounted for 35% of all stolen crypto funds in 2024 [11].

Experts warn that North Korean threat actors are unlikely to slow down, thanks to their adaptability and use of AI-driven methods that allow for “force multiplication.” This has enabled them to scale their operations rapidly and remain a fixture in the crypto security landscape [12]. Google’s Collier emphasized that the regime’s strategic and financial objectives will continue to drive innovation and expansion in these cyber activities [13].

[1] https://decrypt.co/333513/north-korean-fake-job-offers-cloud-systems-steal-billions-crypto

Comments



Add a public comment...
No comments

No comments yet