7 Crypto Heists Totaling $1.6B: North Korean Hackers Exploit Cloud Jobs
Cybersecurity experts from Google Cloud and Wiz have found a sophisticated scam where North Korean IT operatives use fake identities...
Quick overview
- UNC4899, a North Korean hacking group, uses fake identities on platforms like LinkedIn and Telegram to infiltrate cryptocurrency companies.
- They exploit cloud services such as Google Cloud and AWS to access sensitive crypto wallets, often disabling MFA during attacks.
- The financial impact of their operations has resulted in billions of dollars in losses, with significant thefts reported in recent years.
- Ongoing threats from UNC4899 highlight the need for enhanced cloud security and employee awareness in the crypto industry.
Cybersecurity experts from Google Cloud and Wiz have found a sophisticated scam where North Korean IT operatives use fake identities to infiltrate cryptocurrency companies. The group, known as UNC4899 or TraderTraitor, pose as freelance recruiters on platforms like LinkedIn and Telegram to trick employees into running malicious software. This gives them access to sensitive cloud infrastructure and crypto wallets, and they steal millions.
Active since 2020 and tied to North Korea’s Reconnaissance General Bureau, UNC4899 targets blockchain and cryptocurrency firms globally. Their approach combines advanced social engineering with cloud-specific attack techniques, bypassing security protocols and harvesting credentials to move laterally within victim networks.
Cloud Infiltration and Multi-Million Dollar Theft
Google’s 2025 Cloud Threat Horizons Report details two cases involving UNC4899. In one, hackers compromised a Google Cloud privileged account, disabled MFA to access crypto wallet services and stole millions, then re-enabled MFA to avoid detection. In another on AWS, attackers bypassed strong security by stealing session cookies, manipulated JavaScript files to redirect crypto transactions to their wallets.
Wiz’s analysis shows UNC4899 operates under multiple aliases, including Jade Sleet and Slow Pisces, and works with other North Korean state-backed hacking groups. Fake job offers became the primary vector in 2023, targeting crypto exchange employees and cloud environments—a vulnerability given the industry’s cloud-first infrastructure.
Enormous Financial Impact and Ongoing Threats
The financial losses from UNC4899’s attacks are huge:
- $305 million stolen from Japan’s DMM Bitcoin in 2023
- $1.5 billion lost in the 2024 Bybit breach
- Estimated $1.6 billion in crypto stolen by North Korean actors in 2025 (Wiz mid-year data)
ZachXBT, a blockchain investigator, estimates up to 920 North Korean operatives have infiltrated crypto firms, earning over $16 million in salaries since 2025 began.
Key points:
- UNC4899 uses fake recruiting profiles on LinkedIn and Telegram.
- They exploit cloud platforms like Google Cloud and AWS to access crypto wallets.
- MFA is often disabled or bypassed during attacks.
- Losses attributed to this group total billions in crypto assets.
- The threat is ongoing for cloud-dependent crypto companies.
Crypto companies need to harden cloud security and employee awareness to counter these evolving threats as UNC4899 and affiliated groups continue to target.
- Check out our free forex signals
- Follow the top economic events on FX Leaders economic calendar
- Trade better, discover more Forex Trading Strategies
- Open a FREE Trading Account
Save