North Korean IT workers are using remote jobs to infiltrate crypto companies: report
The post North Korean IT workers are using remote jobs to infiltrate crypto companies: report appeared on BitcoinEthereumNews.com. North Korean IT workers are using fake identities to infiltrate crypto firms and steal millions worth of digital assets through remote job scams, cybersecurity researchers at Google Cloud and Wiz have warned. Summary North Korean threat actor UNC4899 operatives are increasingly targeting crypto companies. Both Google Cloud and AWS environments have been exploited by the group in multi-million dollar crypto thefts. Separate reports published by the firms have tracked UNC4899, also known as TraderTraitor, a North Korean threat group tied to the country’s military intelligence. According to Google Cloud’s H2 2025 Cloud Threat Horizons Report, UNC4899 operates under the Reconnaissance General Bureau, North Korea’s main foreign intelligence agency. The group has remained active since at least 2020, focusing on the blockchain and cryptocurrency sectors while leveraging advanced social engineering tactics and cloud-specific attack techniques. How did UNC4899 infiltrate cloud environments? Google described two separate incidents in which UNC4899 compromised employees at different organizations—one using Google Cloud, the other using AWS. In both cases, the hackers posed as freelance job recruiters and approached employees over LinkedIn or Telegram. Once contact was established, they convinced victims to execute malicious Docker containers on their workstations, launching downloaders and backdoors that created links to attacker-controlled infrastructure. Within days, the group moved laterally through internal networks, collected credentials, and identified infrastructure used to handle crypto transactions. In one case, UNC4899 was able to disable multi-factor authentication on a privileged Google Cloud account to access wallet-related services. After stealing crypto worth several million dollars, they re-enabled MFA to evade detection. In a separate AWS-related incident, the attackers used stolen long-term access keys but faced restrictions due to the victim’s enforced use of temporary credentials and MFA policies. They bypassed these defenses by stealing session cookies, which allowed them to manipulate JavaScript files stored in AWS S3…
The post North Korean IT workers are using remote jobs to infiltrate crypto companies: report appeared on BitcoinEthereumNews.com.
North Korean IT workers are using fake identities to infiltrate crypto firms and steal millions worth of digital assets through remote job scams, cybersecurity researchers at Google Cloud and Wiz have warned. Summary North Korean threat actor UNC4899 operatives are increasingly targeting crypto companies. Both Google Cloud and AWS environments have been exploited by the group in multi-million dollar crypto thefts. Separate reports published by the firms have tracked UNC4899, also known as TraderTraitor, a North Korean threat group tied to the country’s military intelligence. According to Google Cloud’s H2 2025 Cloud Threat Horizons Report, UNC4899 operates under the Reconnaissance General Bureau, North Korea’s main foreign intelligence agency. The group has remained active since at least 2020, focusing on the blockchain and cryptocurrency sectors while leveraging advanced social engineering tactics and cloud-specific attack techniques. How did UNC4899 infiltrate cloud environments? Google described two separate incidents in which UNC4899 compromised employees at different organizations—one using Google Cloud, the other using AWS. In both cases, the hackers posed as freelance job recruiters and approached employees over LinkedIn or Telegram. Once contact was established, they convinced victims to execute malicious Docker containers on their workstations, launching downloaders and backdoors that created links to attacker-controlled infrastructure. Within days, the group moved laterally through internal networks, collected credentials, and identified infrastructure used to handle crypto transactions. In one case, UNC4899 was able to disable multi-factor authentication on a privileged Google Cloud account to access wallet-related services. After stealing crypto worth several million dollars, they re-enabled MFA to evade detection. In a separate AWS-related incident, the attackers used stolen long-term access keys but faced restrictions due to the victim’s enforced use of temporary credentials and MFA policies. They bypassed these defenses by stealing session cookies, which allowed them to manipulate JavaScript files stored in AWS S3…
What's Your Reaction?
