North Korean hacker groups have become more active in attacking using lures in the form of freelance work in IT and crypto to gain access to cloud systems and steal cryptocurrencies. A report from Google Cloud says that the Google Threat Intelligence Group is “actively tracking” UNC 4899 (TraderTraitor, Jade Sleet, or Slow Pisces) — a DPRK hacking unit that successfully hacked two companies after contacting employees through social media. It is associated with the Lazarus Group and Kimsuky Group.
In both cases, UNC 4899 gave employees tasks that led to the launch of malware on their workstations, allowing the attackers to establish a connection between their command centers and the cloud systems of the targeted companies.
As a result, UNC 4899 was able to investigate the victims’ cloud environments, obtaining credentials and eventually identifying the hosts responsible for processing cryptocurrency transactions. Although each individual incident targeted different companies and cloud services (Google Cloud and AWS), both resulted in the theft of several million of cryptocurrencies.
Since the beginning of 2025, North Korean hackers have already stolen about $1.6 billion.
They were among the first to quickly adopt new technologies, such as AI, which they use to create more convincing emails and writing your own malicious scripts.
The TraderTraitor group is also responsible for the largest attacks: the $305 million hack of the Japanese Bitcoin DMM, as well as Bybit crypto exchange for $1.5 billion.
North Korea to become a leader in cryptocurrency hacking: this country was responsible for 35% of all stolen funds last year.
Source: Cloud Threat Horizons Report H2 2025
Secrets of the North Korea hacker army: how cryptocurrency geniuses are trained
Spelling error report
The following text will be sent to our editors: