North Korean hacking groups are using the lure of freelance IT work to gain access to cloud systems and steal cryptocurrencies worth millions of dollars, according to separate research from Google Cloud and security firm Wiz.
Google Cloud’s H2 2025 Cloud Threat Horizons Report reveals that Google Threat Intelligence Group is “actively tracking” UNC4899, a North Korean hacking unit that successfully hacked two companies after contacting employees via social media.
In both cases, UNC4899 gave the employees tasks that resulted in the employees running malware on their workstations, enabling the hacking group to establish connections between its command-and-control centers and the target companies’ cloud-based systems.
As a result, UNC4899 was able to explore the victims’ cloud environments, obtaining credential materials and ultimately identifying hosts responsible for processing crypto transactions.
While each separate incident targeted different (unnamed) companies and different cloud services (Google Cloud and AWS), both resulted in the theft of “several millions worth of crypto.”
The use of job lures by North Korean hackers is now “quite common and widespread,” reflecting a considerable degree of sophistication, Jamie Collier, the Lead Threat Intelligence Advisor for Europe at Google Threat Intelligence Group, told Decrypt.
“They frequently pose as job recruiters, journalists, subject matter experts, or college professors when contacting targets,” he said, adding that they often communicate back and forth several times in order to build a rapport with targets.
Inside North Korea’s Hiring Scams Targeting Crypto Firms
Collier explains that North Korean threat actors were among the first to quickly adopt new technologies such as AI, which they use to produce “more convincing rapport-building emails” and to write their malicious scripts.
Also reporting on UNC4899’s exploits is cloud security firm Wiz, which notes that the group is also referred to by the names TraderTraitor, Jade Sleet, and Slow Pisces.
TraderTraitor represents a certain kind of threat activity rather than a specific group, with the North Korea-backed entities Lazarus Group, APT38, BlueNoroff, and Stardust Chollima all behind typical TraderTraitor exploits, Wiz said.
In its analysis of UNC4899/TraderTraitor, Wiz notes that campaigns began back in 2020 and that from the beginning, the responsible hacking groups used job lures to coax employees into downloading malicious crypto apps that were built on JavaScript and Node.js using the Electron framework.
