North Korean IT workers are using fake identities to land remote jobs at crypto firms and steal millions in digital assets, cybersecurity researchers from Google Cloud and Wiz have revealed.
In separate reports, the firms detailed the activities of UNC4899—also known as TraderTraitor—a North Korean threat group linked to the country’s military intelligence.
Google Cloud’s H2 2025 Cloud Threat Horizons Report states that UNC4899 operates under the Reconnaissance General Bureau, North Korea’s primary foreign intelligence agency.
Active since at least 2020, the group has targeted the blockchain and cryptocurrency industries, employing sophisticated social engineering and cloud-focused attack techniques.
How did UNC4899 breach cloud environments?
Google detailed two separate incidents in which UNC4899 infiltrated cloud environments—one involving Google Cloud and the other AWS. In both cases, the hackers posed as freelance job recruiters and contacted employees via LinkedIn or Telegram.
After establishing contact, they tricked victims into running malicious Docker containers on their workstations. These containers launched downloaders and backdoors that connected to attacker-controlled infrastructure.
Within days, UNC4899 moved laterally across internal networks, harvested credentials, and identified systems involved in crypto transactions. In one instance, the group managed to disable multi-factor authentication (MFA) on a privileged Google Cloud account, gaining access to wallet-related services. After stealing crypto worth several million dollars, they re-enabled MFA to avoid detection.
In the AWS-related case, the attackers initially used stolen long-term access keys but were limited by the organization’s use of temporary credentials and MFA. They circumvented these defenses by stealing session cookies, allowing them to manipulate JavaScript files stored in AWS S3 buckets. These files were modified to reroute crypto wallet activity to attacker-controlled addresses, resulting in another multi-million-dollar theft.
A massive operation
Cloud security firm Wiz also investigated UNC4899 and released separate findings that support Google’s analysis.
According to Wiz, the group is known by several aliases—including Jade Sleet, Slow Pisces, and TraderTraitor—each representing broader tactics employed by various North Korean state-sponsored actors like Lazarus Group, BlueNoroff, and APT38.
While UNC4899 has been active since 2020, Wiz noted that fake job offers became a key tactic starting in 2023, primarily targeting employees at cryptocurrency exchanges.
Some of the most high-profile breaches linked to the group include the $305 million hack of Japan’s DMM Bitcoin and the massive $1.5 billion Bybit breach in late 2024.
Wiz warned that cloud infrastructure continues to be a common attack vector, as many crypto firms operate primarily in cloud-first environments with minimal on-premise defenses.
Millions in Crypto Stolen
Estimates of the financial impact vary, but all point to significant losses. Google and Wiz report that UNC4899 has stolen several million dollars in each incident, while broader assessments from private researchers and government agencies suggest the total is much higher.
A 2024 analysis by blockchain analytics firm Chainalysis revealed that North Korean hackers stole $1.34 billion in crypto that year alone. By mid-2025, Wiz researchers estimated that North Korea-linked threat actors had already siphoned off $1.6 billion in digital assets.
Meanwhile, independent blockchain investigator ZachXBT estimates that between 345 and 920 North Korean operatives have infiltrated crypto companies, collectively earning over $16 million in salaries since the beginning of 2025.
