North Korean Hacking Groups Exploit Freelance IT Work to Steal Millions
North Korean hacking groups are using the lure of freelance IT work to gain access to cloud systems and steal cryptocurrencies worth millions of dollars, according to separate research from Google Cloud and security firm Wiz.
Google Cloud’s H2 2025 Cloud Threat Horizons Report reveals that Google Threat Intelligence Group is “actively tracking” UNC4899, a North Korean hacking unit that successfully hacked two companies after contacting employees via social media.
In both cases, UNC4899 gave the employees tasks that resulted in the employees running malware on their workstations, enabling the hacking group to establish connections between its command-and-control centers and the target companies’ cloud-based systems.
As a result, UNC4899 was able to explore the victims’ cloud environments, obtaining credential materials and ultimately identifying hosts responsible for processing crypto transactions.
While each separate incident targeted different (unnamed) companies and different cloud services (Google Cloud and AWS), both resulted in the theft of “several millions worth of crypto.”
The use of job lures by North Korean hackers is now “quite common and widespread,” reflecting a considerable degree of sophistication, Jamie Collier, the Lead Threat Intelligence Advisor for Europe at Google Threat Intelligence Group, told Decrypt.
“They frequently pose as job recruiters, journalists, subject matter experts, or college professors when contacting targets,” he said, adding that they often communicate back and forth several times in order to build a rapport with targets.
Quick to Act
Collier explains that North Korean threat actors were among the first to quickly adopt new technologies such as AI, which they use to produce “more convincing rapport-building emails” and to write their malicious scripts.
Also reporting on UNC4899’s exploits is cloud security firm Wiz, which notes that the group is also referred to by the names TraderTraitor, Jade Sleet, and Slow Pisces.
TraderTraitor represents a certain kind of threat activity rather than a specific group, with the North Korea-backed entities Lazarus Group, APT38, BlueNoroff, and Stardust Chollima all behind typical TraderTraitor exploits, Wiz said.
In its analysis of UNC4899/TraderTraitor, Wiz notes that campaigns began back in 2020 and that from the beginning, the responsible hacking groups used job lures to coax employees into downloading malicious crypto apps that were built on JavaScript and Node.js using the Electron framework.
The group’s campaign from 2020 to 2022 “successfully breached multiple organizations,” according to Wiz, including Lazarus Group’s $620 million breach of Axie Infinity’s Ronin Network.
TraderTraitor threat activity then evolved in 2023 to incorporate the use of malicious open-source code, while in 2024, it doubled down on fake job offers, primarily targeting exchanges.
Most notably, TraderTraitor groups were responsible for the $305 million hack of Japan’s DMM Bitcoin, and also the $1.5 billion Bybit hack in late 2024, which the exchange revealed in February of this year.
Targeting the Cloud
As with the exploits highlighted by Google, these hacks targeted cloud systems to varying degrees, and according to Wiz, such systems represent a significant vulnerability for crypto.
“We believe that TraderTraitor has focused on cloud-related exploits and techniques because that is where the data, and thus money, is,” Benjamin Read, Wiz’s Director of Strategic Threat Intelligence, told Decrypt. “This is especially true for the crypto industry, where the companies are newer and likely to have built their infrastructure in a cloud-first manner.”
Read explained that targeting cloud technologies enables hacking groups to impact a wide range of targets, increasing the potential to make more money.
These groups are doing big business, with “estimates of $1.6 billion in cryptocurrency stolen so far in 2025,” he said, adding that TraderTraitor and related groups have workforces “likely in the thousands of people,” who work in numerous and sometimes overlapping groups.
“While coming up with a specific number is difficult, it is clear that the North Korean regime is investing significant resources in these capabilities.”
Ultimately, such investment has enabled North Korea to become a leader in crypto hacking, with a February TRM Labs report concluding that the country accounted for 35% of all stolen funds last year.
Experts said all available signs suggest the country is likely to remain a fixture in crypto-related hacking for some time to come, especially given the ability of its operatives to develop new techniques.
“North Korean threat actors are a dynamic and agile force that continuously adapts to meet the regime’s strategic and financial objectives,” Google’s Collier said.
Reiterating that North Korean hackers are increasingly making use of AI, Collier explained that such use enables “force multiplication,” which in turn has enabled the hackers to scale up their exploits.
“We see no evidence of them slowing down and anticipate this expansion to continue,” he said.