North Korean Hackers Pose as Recruiters, Steal $1.6B Crypto
North Korean hacker groups are ramping up phishing campaigns by posing as IT recruiters to infiltrate cloud systems and steal massive amounts of cryptocurrency. According to the latest report from Google Cloud and cybersecurity firm Wiz, the group stole more than $1.6 billion worth of crypto in 2025 alone.
The Fake Recruitment Tactics Of UNC4899
The group UNC4899—also known as TraderTraitor, Jade Sleet, or Slow Pisces—is backed by the North Korean state. They often approach employees via social media, posing as recruiters, journalists, experts, or professors. Once trust is built, the hackers send job tests embedded with malicious code, which installs spyware and grants them access to the victim company’s cloud systems. Their primary objective is to harvest login credentials and take control of servers processing cryptocurrency transactions.
Direct Attacks On Cloud Systems
Recent attacks have targeted both Google Cloud and AWS, each resulting in millions of dollars in losses. Hackers favor cloud infrastructure because it stores the data and assets of the crypto industry. Groups like Lazarus Group, APT38, BlueNoroff, and Stardust Chollima have coordinated operations, with forces possibly numbering in the thousands.
The Evolution Of The TraderTraitor Campaign
This campaign has continuously evolved for greater effectiveness. From 2020–2022, the group used fake crypto apps built with Electron, JavaScript, and Node.js to trick victims into downloading them. By 2023, they added malicious open-source code to their arsenal. In 2024, the fake job recruitment method intensified, focusing mainly on exchanges, with high-profile attacks such as stealing $305 million from DMM Bitcoin (Japan) and $1.5 billion from Bybit.
AI – A New Weapon For North Korean Hackers
North Korean hackers are quick to adopt new technologies, especially artificial intelligence. AI is used to craft more convincing phishing emails, automatically write malware, and build sophisticated attack scenarios. This combination of social engineering and advanced tech allows them to scale operations and accelerate infiltration.
Security Experts’ Warnings
Experts warn that this group shows no signs of slowing down and is continuing to expand its activities. Benjamin Read from Wiz notes that TraderTraitor focuses heavily on cloud because it is the “data and money center” of the crypto industry. Jamie Collier from Google emphasizes that North Korean hackers are highly adaptable, constantly adjusting to meet the regime’s strategic and financial goals.
Security Recommendations For Crypto Businesses
To defend against these threats, crypto companies should focus on training employees to spot recruitment scams, implementing multi-factor authentication for all cloud access, and enhancing malware scanning and monitoring. These basic measures play a vital role in reducing the risk of falling victim to such sophisticated attacks.