North Korean Hackers Pose as Freelancers to Steal Millions in Crypto
North Korean hacking groups are getting craftier—posing as recruiters or freelance employers to trick workers into handing over access to cloud systems. According to research from Google Cloud and security firm Wiz, these groups have stolen millions in cryptocurrency by exploiting trust and a bit of social engineering.
It’s not exactly new, but the approach has become more polished. Google’s latest threat report highlights a group called UNC4899, which successfully breached two companies by reaching out to employees on social media. Posing as potential employers or collaborators, they assigned tasks that, when completed, installed malware on the victims’ workstations. From there, the hackers slipped into cloud systems, hunting for credentials tied to crypto transactions.
Fake Jobs, Real Damage
The tactic isn’t subtle, but it works. Jamie Collier from Google’s Threat Intelligence Group says North Korean hackers often pretend to be recruiters, journalists, or even academics. They’ll exchange messages for days, sometimes weeks, just to build rapport before making their move.
And they’re fast learners. Collier notes these groups were among the first to use AI—not for anything flashy, just to write smoother phishing emails and refine their malware scripts. It’s a small detail, but it makes their scams harder to spot.
Wiz, another security firm tracking UNC4899, says the group goes by other names too: TraderTraitor, Jade Sleet, Slow Pisces. Their campaigns date back to 2020, when they started pushing fake crypto apps built on JavaScript and Node.js. By 2022, they’d already pulled off major heists, including the $620 million Axie Infinity hack.
Last year, they shifted tactics again, embedding malicious code in open-source projects. This year, they’re back to fake job offers—mainly targeting crypto exchanges. Two of the biggest recent breaches, the $305 million DMM Bitcoin hack and the $1.5 billion Bybit theft, have been linked to them.
Why Cloud Systems Are the Weak Spot
Both Google and Wiz point to cloud infrastructure as the common thread in these attacks. Benjamin Read from Wiz puts it bluntly: “That’s where the money is.” Crypto firms, especially newer ones, often rely on cloud-first setups, making them prime targets.
The scale is staggering. Estimates suggest North Korean hackers have stolen around $1.6 billion in crypto so far this year alone. And this isn’t some small-time operation—Read believes these groups employ thousands, working in overlapping teams under different names.
The real takeaway? These hackers aren’t slowing down. A recent TRM Labs report found North Korea was behind 35% of all stolen crypto last year. With AI helping them refine their methods, that number might only grow.
Collier sums it up: “They adapt fast, and they’ve got the resources to keep going.” For anyone handling crypto or cloud systems, that’s a problem with no easy fix.
