By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto
Computing

N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto

News Room
Last updated: 2025/07/31 at 9:55 AM
News Room Published 31 July 2025
Share
SHARE

Jul 31, 2025Ravie LakshmananCryptocurrency / Malware

The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram.

“Under the guise of freelance opportunities for software development work, UNC4899 leveraged social engineering techniques to successfully convince the targeted employees to execute malicious Docker containers in their respective workstations,” Google’s cloud division said [PDF] in its Cloud Threat Horizons Report for H2 2025.

UNC4899 overlaps with activity tracked under the monikers Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. Active since at least 2020, the state-sponsored actor is known for its targeting of cryptocurrency and blockchain industries.

Notably, the hacking group has been implicated in significant cryptocurrency heists, including that of Axie Infinity in March 2022 ($625 million), DMM Bitcoin in May 2024 ($308 million), and Bybit in February 2025 ($1.4 billion).

Cybersecurity

Another example that highlights its sophistication is the suspected exploitation of JumpCloud’s infrastructure to target downstream customers within the cryptocurrency vertical.

According to DTEX, TraderTraitor is affiliated with the Third Bureau (or Department) of North Korea’s Reconnaissance General Bureau and is the most prolific of any of the Pyongyang hacking groups when it comes to cryptocurrency theft.

Attacks mounted by the threat actor have entailed leveraging job-themed lures or uploading malicious npm packages, and then approaching employees at target companies with a lucrative opportunity or asking them to collaborate on a GitHub project that would then lead to the execution of the rogue npm libraries.

“TraderTraitor has demonstrated a sustained interest in cloud-centric and cloud-adjacent attack surfaces, often with a final goal of compromising companies that are customers of cloud platforms rather than the platforms themselves,” cloud security firm Wiz said in a detailed report of TraderTraitor this week.

The attacks observed by Google Cloud targeted the respective organizations’ Google Cloud and Amazon Web Services (AWS) environments, paving the way for a downloader called GLASSCANNON that’s then used to serve backdoors like PLOTTWIST and MAZEWIRE that can establish connections with an attacker-controlled server.

In the incident involving the Google Cloud environment, the threat actors have been found to employ stolen credentials to interact remotely using Google Cloud CLI over an anonymous VPN service, carrying out extensive reconnaissance and credential theft activities. However, they were thwarted in their efforts due to the multi-factor authentication (MFA) configuration applied to their credentials.

“UNC4899 eventually determined the victim’s account had administrative privileges to the Google Cloud project and disabled the MFA requirements,” Google said. “After successfully gaining access to the targeted resources, they immediately re-enabled MFA to evade detection.”

The intrusion targeting the second victim’s AWS environment is said to have followed a similar playbook, only this time the attackers used long-term access keys obtained from an AWS credential file to interact remotely via AWS CLI.

Although the threat actors ran into access control roadblocks that prevented them from performing any sensitive actions, Google said it found evidence that likely indicated the theft of the user’s session cookies. These cookies were then used to identify relevant CloudFront configurations and S3 buckets.

Cybersecurity

UNC4899 “leveraged the inherent administrative permissions applied to their access to upload and replace existing JavaScript files with those containing malicious code, which were designed to manipulate cryptocurrency functions and trigger a transaction with the cryptocurrency wallet of a target organization,” Google said.

The attacks, in both cases, ended with the threat actors successfully withdrawing several million worth of cryptocurrency, the company added.

The development comes as Sonatype said it flagged and blocked 234 unique malware npm and PyPI packages attributed to North Korea’s Lazarus Group between January and July 2025. Some of these libraries are configured to drop a known credential stealer referred to as BeaverTail, which is associated with a long-running campaign dubbed Contagious Interview.

“These packages mimic popular developer tools but function as espionage implants, designed to steal secrets, profile hosts, and open persistent backdoors into critical infrastructure,” the software supply chain security firm said. “The surge of activity in H1 2025 demonstrates a strategic pivot: Lazarus is now embedding malware directly into open source package registries, namely npm and PyPI, at an alarming rate.”

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article Samsung earnings dip as chip division weighs on results despite mobile and display growth – News
Next Article Hidden freebies on your phone worth £100s – claim TV, music, games & books
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

Founder in Five: Ravical CEO on learning to prioritise – UKTN
News
Drone food delivery orders rise in China during Spring Festival · TechNode
Computing
Confessions of a Recovering AI Porn Addict
Gadget
Apple Is Open to Buying Companies to Get Ahead in the AI Race
News

You Might also Like

Computing

Drone food delivery orders rise in China during Spring Festival · TechNode

1 Min Read
Computing

Bridgetime or How I’m Building a Visual Timezone Scheduler While Learning by Doing | HackerNoon

7 Min Read
Computing

Intel IPU7 Driver Merged For Linux 6.17 For Webcams On Lunar Lake & Panther Lake Laptops

2 Min Read
Computing

NetEase Cloud Music sues K-pop giant SM Entertainment over market abuse allegations · TechNode

3 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?