Exposed: North Korean IT Operatives Infiltrate Crypto Firms Through Remote Work
Silicon sleuths uncover a chilling trend—state-backed hackers masquerading as freelance devs.
How they’re doing it
Fake resumes, stolen identities, and LinkedIn profiles polished to a deceptive shine. These aren’t your average job seekers—they’re cyber operatives bypassing sanctions one Zoom interview at a time.
Why crypto? Liquid assets, lax KYC, and CEOs who’d rather ape into memecoins than audit their engineering teams. Perfect targets.
The kicker? Some firms only noticed when ‘employees’ routed paychecks to Pyongyang-linked wallets. Oops.
Another reminder that in crypto, the ‘trustless’ mantra only applies to the tech—not the humans building it.
How did UNC4899 infiltrate cloud environments?
Google described two separate incidents in which UNC4899 compromised employees at different organizations—one using Google Cloud, the other using AWS. In both cases, the hackers posed as freelance job recruiters and approached employees over LinkedIn or Telegram.
Once contact was established, they convinced victims to execute malicious Docker containers on their workstations, launching downloaders and backdoors that created links to attacker-controlled infrastructure.
Within days, the group moved laterally through internal networks, collected credentials, and identified infrastructure used to handle crypto transactions.
In one case, UNC4899 was able to disable multi-factor authentication on a privileged Google Cloud account to access wallet-related services. After stealing crypto worth several million dollars, they re-enabled MFA to evade detection.
In a separate AWS-related incident, the attackers used stolen long-term access keys but faced restrictions due to the victim’s enforced use of temporary credentials and MFA policies. They bypassed these defenses by stealing session cookies, which allowed them to manipulate JavaScript files stored in AWS S3 buckets.
These files were altered to redirect crypto wallet interactions to addresses controlled by the attackers, leading to another multimillion-dollar theft.
A massive operation
Cloud security firm Wiz also analyzed UNC4899 and published separate findings that align with Google’s.
Experts at Wiz noted that the group has gone by multiple aliases, including Jade Sleet, Slow Pisces, and TraderTraitor, with each referring to a broader set of tactics used by different North Korean state-backed entities such as Lazarus Group, BlueNoroff, and APT38.
UNC4899 had been active since 2020, but it wasn’t until 2023 that fake job offers became a central tactic, especially targeting employees at crypto exchanges, the firm said in a recent report.
Among the most high-profile breaches attributed to the group are the $305 million hack of Japan’s DMM Bitcoin and the $1.5 billion Bybit breach in late 2024.
Wiz warned that cloud infrastructure remains a consistent point of entry or exploitation in these attacks, as many crypto firms operate in cloud-first environments with limited on-premise defenses.
Millions in crypto lost
Estimates of the financial damage vary but remain consistently high. According to Google and Wiz, UNC4899 alone has stolen multiple millions of dollars in each incident, while broader figures compiled by private researchers and government agencies point to even larger losses.
A 2024 report from blockchain analytics firm Chainalysis found that North Korean hackers stole $1.34 billion in crypto that year alone. More recently, researchers at Wiz estimated that North Korea-linked threat actors have siphoned off $1.6 billion in digital assets in 2025 as of mid-year.
Separately, independent blockchain investigator ZachXBT has estimated that between 345 and 920 North Korean operatives may have infiltrated jobs in the crypto industry, collectively receiving over $16 million in salaries since the start of 2025.
