North Korean threat actors are ramping up a sophisticated campaign of cyber theft targeting the cryptocurrency industry, using fake identities and remote job scams to infiltrate firms and siphon off millions of dollars in digital assets.
Cybersecurity researchers at Google Cloud and cloud security firm Wiz have both issued separate but aligned reports warning about the activities of UNC4899—also known as TraderTraitor—an advanced persistent threat group linked to North Korea’s military intelligence agency, the Reconnaissance General Bureau.
According to Google Cloud’s latest H2 2025 Cloud Threat Horizons Report, UNC4899 has been actively targeting the blockchain and cryptocurrency sectors since at least 2020, deploying highly refined social engineering tactics and exploiting cloud-specific vulnerabilities to breach organizations.
In two detailed incidents highlighted by Google, UNC4899 attackers posed as freelance recruiters on platforms like LinkedIn and Telegram. After establishing contact with employees, they convinced victims to run malicious Docker containers on their machines. These containers installed backdoors that gave the hackers access to internal systems.
Once inside, the attackers moved quickly—harvesting credentials, disabling multi-factor authentication (MFA), and identifying infrastructure connected to crypto wallets. In one case, after stealing millions in crypto assets via a compromised Google Cloud account, the attackers even re-enabled MFA to delay detection.
Wiz’s independent analysis corroborates Google’s findings, noting that UNC4899—also known under aliases like Jade Sleet, Slow Pisces, and TraderTraitor—shares overlapping techniques with other North Korean hacking groups such as Lazarus Group, BlueNoroff, and APT38.
The group reportedly shifted focus in 2023 toward using fake job offers as a primary vector of attack, specifically targeting employees at crypto exchanges and blockchain startups. Among their most devastating breaches are the $305 million heist from Japan’s DMM Bitcoin and the massive $1.5 billion Bybit attack in late 2024.
While exact figures vary, both Google and Wiz estimate UNC4899 alone has stolen tens of millions of dollars across multiple incidents. Chainalysis data shows North Korean-linked hackers looted $1.34 billion in crypto during 2024, while Wiz believes the figure has risen to $1.6 billion as of mid-2025.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
