What Happened?
North Korean hacker groups have begun using high-paying IT freelance job offers as bait to contact employees of target companies through social platforms such as LinkedIn and Telegram. They establish trust in this way, luring victims to execute malicious programs, thus infiltrating corporate internal systems. The ultimate goal of the hackers is the companies’ cloud platforms (such as AWS and Google Cloud). Given that cryptocurrency companies generally adopt a “cloud-first” architecture, the cloud has become a “vault” for storing critical assets. After obtaining initial access, hackers move laterally into the cloud, stealing credentials and searching for key servers that handle transactions to steal cryptocurrencies worth millions of dollars.
Such attacks are not isolated incidents but are orchestrated by state-level organizations comprising thousands of members, resulting in billions of dollars in losses. The hackers’ techniques are continually evolving; they not only know how to bypass security mechanisms but have also started using AI to generate more realistic phishing emails and malicious scripts, significantly increasing the scale and success rate of their threats.
A “Dream Job” Invitation: The Beginning of a Company’s Disaster?
According to the latest research report from Google Cloud and cloud security company Wiz, North Korean hacker organizations are employing social engineering tactics, using high-paying freelancer positions as bait to deceive tech professionals and infiltrate corporate cloud systems, stealing cryptocurrencies worth millions of dollars. Google Cloud points out in its “Cloud Threat Landscape Report for the Second Half of 2025” that the Google Threat Intelligence Group (GTIG) is actively tracking a North Korean hacker group known as “UNC4899.” This group is believed to be affiliated with North Korea’s Reconnaissance General Bureau, and its activities overlap significantly with the publicly reported “TraderTraitor” threat behavior.
The report reveals two real cases that occurred between the third quarter of 2024 and the first quarter of 2025. In these incidents, members of UNC4899 contacted employees from different companies through social platforms such as LinkedIn and Telegram, posing as providers of software development freelance opportunities. After establishing trust through multiple communications with the targets, the hackers would assign tasks, enticing employees to execute malicious software on their workstations. Once an employee falls for the trap, malware such as the downloader “GLASSCANNON” and backdoor programs “PLOTTWIST” and “MAZEWIRE” would be implanted, establishing a connection with the hackers’ command and control center.
Subsequently, hackers could conduct reconnaissance on the victim company’s internal networks, stealing login credentials and ultimately shifting their focus to the company’s cloud environment. The report details one attack targeted at Google Cloud: the hackers used stolen credentials to operate remotely through an anonymous VPN service, successfully locating the server responsible for processing cryptocurrency transactions. Although they encountered obstacles due to multi-factor authentication (MFA) at one point, the hackers eventually discovered an account with administrative privileges. They briefly disabled the MFA requirement for that account, successfully stealing “cryptocurrencies worth millions of dollars,” before quickly re-enabling MFA to cover their tracks, demonstrating highly cunning tactics. Another incident occurred within the AWS cloud environment, also resulting in millions of dollars in cryptocurrency losses.
The Evolution of Malicious Attacks and Their Large Scale
The report from the cybersecurity company Wiz also confirms this threat, indicating that “TraderTraitor” is more of a term encompassing a mode of activity, covering multiple well-known North Korean hacker groups such as “Lazarus Group,” “APT38,” and “BlueNoroff.” These activities can be traced back to 2020 when they began using job bait to lure employees into downloading malicious cryptocurrency applications based on JavaScript and Node.js. Such activities have led to several significant cybersecurity incidents, including the Lazarus Group stealing $620 million worth of assets from the sidechain of the well-known blockchain game Axie Infinity. By 2024, they intensified their focus on cryptocurrency exchanges, resulting in several astonishing thefts, including the $305 million heist from the Japanese exchange DMM Bitcoin and the $1.5 billion loss from a hacking attack on the Bybit exchange at the end of 2024.
The Cloud as the Main Battlefield, AI Fuels Threats
Experts analyze that North Korean hackers focus their targets on cloud systems because companies in the cryptocurrency industry are often newer and tend to adopt a “cloud-first” architecture. Benjamin Read, the Director of Strategic Threat Intelligence at Wiz, states: “We believe TraderTraitor focuses on cloud-related vulnerabilities because the data is there, and so is the money.” The scale of these hacker organizations is astonishing; Read estimates that the related personnel “could number in the thousands,” operating in multiple overlapping teams. In the first half of 2025 alone, they stole a total of $1.6 billion in cryptocurrencies.
“While it’s difficult to arrive at a specific figure, it is evident that the North Korean regime is investing substantial resources.” Jamie Collier, Senior Advisor at Google Threat Intelligence Group, points out that North Korean hackers are pioneers in adopting new technologies, as they have already begun using artificial intelligence (AI) to generate “more persuasive relationship-building emails” and to script malicious content. The use of AI has produced a “multiplier effect” in their capabilities, allowing them to scale their attacks. “When contacting targets, they often impersonate headhunters, journalists, subject matter experts, or university professors,” he adds, noting that they typically communicate back and forth several times to establish rapport with their targets.
According to a report from TRM Labs, 35% of the cryptocurrency funds stolen globally last year flowed to North Korea. Experts unanimously agree that given the continuously evolving techniques and flexible strategies of North Korean hacker organizations, they will remain one of the leading threats in the cryptocurrency space for the foreseeable future. Collier concludes: “We see no signs that they will slow down and expect this expansion to continue.”
References: decrypt, google cloud