North Korean hackers exploit cloud platforms Google Cloud and AWS to steal millions in cryptocurrency

A North Korea-affiliated hacking group known as UNC4899 has been linked to a pair of cyberattacks targeting employees of two separate organizations through LinkedIn and Telegram, leveraging fake freelance job offers to breach cloud infrastructure and siphon off millions in cryptocurrency.

According to Google Cloud’s Cloud Threat Horizons Report for the second half of 2025, the attackers used social engineering tactics to deceive victims into executing malicious Docker containers on their workstations. This initial compromise allowed the group to penetrate both Google Cloud and Amazon Web Services (AWS) environments, where they deployed malware designed to facilitate deeper intrusion and ultimately extract digital assets.

UNC4899, also tracked as TraderTraitor, Jade Sleet, PUKCHONG, and Slow Pisces, has been active since at least 2020 and is widely known for targeting cryptocurrency and blockchain firms. It is reportedly tied to North Korea’s Reconnaissance General Bureau, specifically its Third Bureau, and is believed to be the regime’s most prolific unit involved in cryptocurrency theft. The group has previously been implicated in high-profile heists, including the $625 million Axie Infinity breach in 2022, the $308 million DMM Bitcoin theft in 2024, and a record $1.4 billion Bybit incident earlier this year.

In the most recent intrusions, UNC4899 used stolen credentials and cloud command-line tools to interact with compromised systems. In the Google Cloud attack, access was initially blocked due to multi-factor authentication (MFA), but the attackers circumvented this by identifying administrative credentials, disabling MFA, gaining access, and re-enabling MFA to avoid detection. On AWS, the threat actors used long-term access keys found in credential files to interact via AWS CLI, later stealing session cookies to identify and manipulate S3 buckets and CloudFront distributions.

“UNC4899 leveraged the inherent administrative permissions applied to their access to upload and replace existing JavaScript files with those containing malicious code,” Google reported. These modifications were intended to manipulate cryptocurrency transactions and redirect funds to wallets controlled by the attackers.

Both attacks ended in the theft of cryptocurrency worth several million dollars, underscoring the persistent and sophisticated nature of the threat actor.

The revelations coincide with a broader surge in activity by North Korea-linked groups in 2025. Software supply chain security firm Sonatype said it intercepted and blocked 234 malicious npm and PyPI packages tied to the Lazarus Group, another major North Korean hacking unit. These packages mimic popular developer tools but are designed to steal credentials, gather system information, and establish persistent access to critical systems. Many contain a credential stealer known as BeaverTail, associated with the long-running “Contagious Interview” campaign.