What Happened?
The North Korean hacker organization has begun to lure employees from target companies by offering high-paying freelance IT jobs, using social platforms such as LinkedIn and Telegram to make contact. They establish trust and deceive victims into executing malicious programs, thereby breaching corporate internal systems. The ultimate goal of the hackers is to access corporate cloud platforms (such as AWS and Google Cloud). As cryptocurrency companies generally adopt a “cloud-first” architecture, the cloud has become a “vault” for storing critical assets. After obtaining initial access, hackers move laterally into the cloud, steal credentials, and search for key servers processing transactions to steal cryptocurrencies worth millions of dollars. Such attacks are not isolated incidents but are orchestrated by state-level organizations with thousands of members, resulting in billions of dollars in losses. The hackers’ techniques are continually evolving; they not only know how to bypass security mechanisms but have also begun to use AI to create more realistic phishing emails and malicious scripts, significantly increasing the scale and success rate of their threats.
Is a “Dream Job” Invitation the Beginning of a Company Disaster?
According to a recent research report by Google Cloud and cloud security firm Wiz, North Korean hacker organizations are employing social engineering tactics, using high-paying freelance positions as bait to deceive tech professionals and infiltrate corporate cloud systems, thereby stealing cryptocurrencies worth millions of dollars. Google Cloud points out in its “Cloud Threat Landscape Report for the Second Half of 2025” that the Google Threat Intelligence Group (GTIG) is actively tracking a North Korean hacker organization known as “UNC4899.” This organization is believed to be affiliated with the North Korean Reconnaissance General Bureau, and its activities highly overlap with the publicly reported “TraderTraitor” threat behavior. The report reveals two real cases that occurred between Q3 2024 and Q1 2025, in which members of UNC4899 contacted employees of different companies through social platforms like LinkedIn and Telegram, posing as providers of software development freelance opportunities. After establishing trust through multiple communications, the hackers assigned tasks that lured employees into executing malware on their workstations. Once the employees were hooked, malware such as the downloader “GLASSCANNON” and backdoor programs “PLOTTWIST” and “MAZEWIRE” were implanted, establishing a connection with the hackers’ command and control center. Subsequently, the hackers were able to conduct reconnaissance on the victim company’s internal network, steal login credentials, and ultimately shift their focus to the corporate cloud environment. The report details one such attack targeting Google Cloud: the hackers used stolen credentials to remotely operate through an anonymous VPN service, successfully pinpointing the server responsible for processing cryptocurrency transactions. Although they faced initial obstacles due to multi-factor authentication (MFA) protections, the hackers eventually discovered an account with administrative privileges. They briefly disabled the MFA requirements for that account, successfully stealing “cryptocurrencies worth millions of dollars,” and then quickly re-enabled MFA to cover their tracks, demonstrating a highly cunning approach. Another incident occurred in the AWS cloud environment, also resulting in millions of dollars in cryptocurrency losses.
The Evolution of Malicious Attacks and Their Massive Scale
The report by security firm Wiz also confirms this threat, noting that “TraderTraitor” is more of a generic term for an activity pattern that encompasses several well-known North Korean hacker groups, including the “Lazarus Group,” “APT38,” and “BlueNoroff.” These activities can be traced back to 2020, when they began using job bait to entice employees into downloading malicious cryptocurrency applications based on JavaScript and Node.js. Such activities have led to several major cybersecurity incidents, including the Lazarus Group stealing $620 million worth of assets from the sidechain of the well-known blockchain game Axie Infinity. By 2024, they had intensified their focus on cryptocurrency exchanges, orchestrating several astonishing thefts, including a $305 million heist from the Japanese exchange DMM Bitcoin and a $1.5 billion hack against Bybit at the end of 2024.
The Cloud as the Main Battleground, AI Fuels Threats
Experts analyze that North Korean hackers are concentrating their targets on cloud systems because companies in the cryptocurrency industry are typically newer and tend to adopt a “cloud-first” architecture. Benjamin Read, the Director of Strategic Threat Intelligence at Wiz, stated, “We believe TraderTraitor focuses on cloud-related vulnerabilities because the data is there, and the money is there.” The scale of these hacker organizations is staggering; Read estimates that the number of people involved could be “as many as several thousand,” operating across multiple overlapping teams. In just the first half of 2025, the total amount of cryptocurrency they stole had already reached $1.6 billion. “While it’s difficult to arrive at a specific number, it’s clear that the North Korean regime is investing substantial resources.” Jamie Collier, the European advisor at the Google Threat Intelligence Group, pointed out that North Korean hackers are pioneers in adopting new technologies; they have already begun using artificial intelligence (AI) to generate “more persuasive relationship-building emails” and to write malicious scripts. The use of AI has created a “multiplier effect” on their capabilities, allowing them to scale up their attacks. “When contacting targets, they often impersonate headhunters, journalists, subject matter experts, or university professors,” he added, noting that they usually communicate back and forth several times to establish a rapport with the target. According to a report by TRM Labs, 35% of the cryptocurrency funds stolen globally last year flowed to North Korea. Experts unanimously agree that, given the continuously evolving technology and flexible strategies of North Korean hacker organizations, they will remain one of the major threats in the cryptocurrency domain for the foreseeable future. Collier concluded, “We have seen no signs that they will slow down, and we expect this expansion to continue.”
References: decrypt, google cloud