Cybersecurity researchers from Google Cloud and Wiz have warned that millions in digital assets are being siphoned by North Korean tech specialists. These individuals are reportedly leveraging deceptive aliases to infiltrate cryptocurrency firms through fraudulent remote employment schemes.
Distinct reports released by the firms have monitored UNC4899, also known as TraderTraitor, an adversarial North Korean collective believed to be affiliated with the country’s military intelligence.
A report by Google Cloud’s H2 2025 Cloud Threat Horizons indicates that UNC4899 is controlled by the Reconnaissance General Bureau, which is North Korea’s main foreign intelligence agency.
The collective is believed to have been operational since at least 2020, concentrating on the digital ledger and virtual currency sectors while employing sophisticated social engineering and cloud-specific attack methods.
The UNC4899 Playbook: How Hackers Breached Cloud Environments
Two distinct incidents were detailed by Google, in which UNC4899 compromised personnel at different organizations—one leveraging Google Cloud, the other AWS. On both occasions, the perpetrators masqueraded as freelance talent scouts and initiated contact with employees via LinkedIn or Telegram.
Following the initiation of communication, victims were persuaded to execute malevolent Docker containers on their workstations, which deployed downloaders and backdoors to establish links with attacker-controlled infrastructure.
In a matter of days, the collective laterally navigated internal networks, harvesting credentials and pinpointing infrastructure that was utilized for cryptocurrency transfers.
In a specific incident, UNC4899 was able to deactivate multi-factor authentication on a privileged Google Cloud account, which allowed access to wallet-related services. After millions of dollars’ worth of crypto was siphoned, the group reactivated MFA to circumvent detection.
During a separate AWS-related incident, attackers leveraged pilfered long-term access keys but were impeded by the victim’s mandatory use of temporary credentials and MFA protocols. They circumvented these safeguards by siphoning session cookies, which enabled them to alter JavaScript files housed in AWS S3 buckets.
The files were manipulated by the attackers to reroute cryptocurrency wallet interactions to addresses under their control, which resulted in another multimillion-dollar theft.
A Large-Scale Operation Uncovered
UNC4899 has also been examined by the cloud security firm Wiz, which released distinct findings that are consistent with Google’s.
It was noted by experts at Wiz that the collective has been known by multiple aliases, including Jade Sleet, Slow Pisces, and TraderTraitor. Each of these monikers corresponds to a broader set of tactics utilized by various North Korean state-backed entities, such as the Lazarus Group, BlueNoroff, and APT38.
While UNC4899 has been operational since 2020, fraudulent employment offers were not made a central tactic until 2023, particularly targeting personnel at cryptocurrency exchanges, a recent report from the firm stated.
The group is implicated in some of the most prominent security breaches, including the $305 million digital heist from Japan’s DMM Bitcoin and the $1.5 billion Bybit compromise in late 2024.
A warning was issued by Wiz that cloud infrastructure remains a persistent point of entry or exploitation in these attacks, given that many cryptocurrency firms operate in cloud-first environments with limited on-premise defenses.
Crypto Losses Reach Millions
Estimates for the financial damage fluctuate but remain consistently high. Google and Wiz report that UNC4899 has independently siphoned multiple millions of dollars in each breach, while broader figures compiled by private analysts and government bodies indicate even greater losses.
A 2024 report from blockchain analytics firm Chainalysis found that North Korean hackers stole $1.34 billion in crypto that year alone. More recently, it was estimated by researchers at Wiz that $1.6 billion in digital assets has been pilfered by North Korea-linked threat actors in 2025 as of mid-year.
In a separate finding, it has been estimated by independent blockchain investigator ZachXBT that between 345 and 920 North Korean operatives may have infiltrated employment positions in the crypto industry, collectively receiving more than $16 million in salaries since the start of 2025.
