N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto
The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram.
“Under the guise of freelance opportunities for software development work, UNC4899 leveraged social engineering techniques to successfully convince the targeted employees to execute malicious Docker containers in their respective workstations,” Google’s cloud division said [PDF] in its Cloud Threat Horizons Report for H2 2025.
UNC4899 overlaps with activity tracked under the monikers Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. Active since at least 2020, the state-sponsored actor is known for its targeting of cryptocurrency and blockchain industries.
Notably, the hacking group has been implicated in significant cryptocurrency heists, including that of Axie Infinity in March 2022 ($625 million), DMM Bitcoin in May 2024 ($308 million), and Bybit in February 2025 ($1.4 billion).
Another example that highlights its sophistication is the suspected exploitation of JumpCloud’s infrastructure to target downstream customers within the cryptocurrency vertical.
According to DTEX, TraderTraitor is affiliated with the Third Bureau (or Department) of North Korea’s Reconnaissance General Bureau and is the most prolific of any of the Pyongyang hacking groups when it comes to cryptocurrency theft.
Attacks mounted by the threat actor have entailed leveraging job-themed lures or uploading malicious npm packages, and then approaching employees at target companies with a lucrative opportunity or asking them to collaborate on a GitHub project that would then lead to the execution of the rogue npm libraries.
“TraderTraitor has demonstrated a sustained interest in cloud-centric and cloud-adjacent attack surfaces, often with a final goal of compromising companies that are customers of cloud platforms rather than the platforms themselves,” cloud security firm Wiz said in a detailed report of TraderTraitor this week.
The attacks observed by Google Cloud targeted the respective organizations’ Google Cloud and Amazon Web Services (AWS) environments, paving the way for a downloader called GLASSCANNON that’s then used to serve backdoors like PLOTTWIST and MAZEWIRE that can establish connections with an attacker-controlled server.
In the incident involving the Google Cloud environment, the threat actors have been found to employ stolen credentials to interact remotely using Google Cloud CLI over an anonymous VPN service, carrying out extensive reconnaissance and credential theft activities. However, they were thwarted in their efforts due to the multi-factor authentication (MFA) configuration applied to the victim’s credentials.
“UNC4899 eventually determined the victim’s account had administrative privileges to the Google Cloud project and disabled the MFA requirements,” Google said. “After successfully gaining access to the targeted resources, they immediately re-enabled MFA to evade detection.”
The intrusion targeting the second victim’s AWS environment is said to have followed a similar playbook, only this time the attackers used long-term access keys obtained from an AWS credential file to interact remotely via AWS CLI.
Although the threat actors ran into access control roadblocks that prevented them from performing any sensitive actions, Google said it found evidence that likely indicated the theft of the user’s session cookies. These cookies were then used to identify relevant CloudFront configurations and S3 buckets.
undefined
UNC4899 “leveraged the inherent administrative permissions applied to their access to upload and replace existing JavaScript files with those containing malicious code, which were designed to manipulate cryptocurrency functions and trigger a transaction with the cryptocurrency wallet of a target organization,” Google said.
The attacks, in both cases, ended with the threat actors successfully withdrawing several million worth of cryptocurrency, the company added.
The development comes as Sonatype said it flagged and blocked 234 unique malware npm and PyPI packages attributed to North Korea’s Lazarus Group between January and July 2025. Some of these libraries are configured to drop a known credential stealer referred to as BeaverTail, which is associated with a long-running campaign dubbed Contagious Interview.
“These packages mimic popular developer tools but function as espionage implants, designed to steal secrets, profile hosts, and open persistent backdoors into critical infrastructure,” the software supply chain security firm said. “The surge of activity in H1 2025 demonstrates a strategic pivot: Lazarus is now embedding malware directly into open source package registries, namely npm and PyPI, at an alarming rate.”