North Korean hackers are exploiting the allure of fake freelance IT job offers to infiltrate cloud systems of cryptocurrency firms, amassing billions in stolen assets this year. Reports from Google Cloud and security firm Wiz reveal that these operatives belong to a group known as UNC4899, which has been actively targeting companies by communicating with potential victims via social media.
In two documented incidents, UNC4899 successfully manipulated employees into executing malware on their devices, which allowed the hackers to access the companies’ cloud environments and steal substantial amounts of cryptocurrency. Each incident led to thefts totaling several million dollars.
The tactic of using job offers to trick victims has become quite prevalent among North Korean hackers, indicating a high level of sophistication. They routinely present themselves as job recruiters or experts to establish trust before launching their cyberattacks. Google Threat Intelligence’s Jamie Collier emphasized that these hackers are not only among the first to adopt new technologies but also utilize AI to enhance the effectiveness of their operations, producing more credible phishing emails and scripts.
Wiz also highlights a group referred to as TraderTraitor, which encompasses several North Korean entities like the Lazarus Group and APT38. Since 2020, these groups have progressively utilized fake job offers to encourage employees to download malicious applications, leading to a series of successful breaches. Notable incidents involving TraderTraitor include the massive $620 million theft from Axie Infinity’s Ronin Network, further establishing their capabilities in crypto hacking.
Cloud systems are particularly appealing targets due to their inherent vulnerabilities within the cryptocurrency sector. As noted by Benjamin Read of Wiz, these systems hold vast amounts of sensitive data, making them attractive for theft. In 2025 alone, estimates suggest that North Korean hackers have stolen around $1.6 billion in cryptocurrency.
The North Korean regime has been significantly investing in cyber capabilities, with thousands reportedly engaged in these hacking operations. Experts stress that the country’s hackers are likely to remain a persistent threat in the cryptocurrency domain, continuously adapting and evolving their techniques, primarily due to their innovative use of AI. This advancement allows them to execute large-scale operations effectively, and indications suggest they are set to continue expanding their illicit activities.
________
At Crypto Dummies, we strive to demystify the complexities of the cryptocurrency world for enthusiasts of all levels. Through insightful articles, guides, and analysis, we cover topics ranging from blockchain technology to market trends and investment strategies. Stay informed and empowered with Crypto Dummies – your go-to source for accessible crypto knowledge.
