Analysis: North Korean hackers use inducements to run malicious programs to infiltrate systems, having stolen $1.6 billion in cryptocurrency this year

ChainCatcher news, according to Decrypt, based on research by Google Cloud and cybersecurity company Wiz, North Korean hacker groups are infiltrating cloud systems through fake IT job offers, with an estimated $1.6 billion in cryptocurrency stolen by 2025. The research shows that a hacker team codenamed UNC4899 (also known as TraderTraitor, Jade Sleet, or Slow Pisces) is impersonating recruiters on social media to lure employees of target companies into running malicious programs, successfully breaching Google Cloud and AWS systems and hijacking cryptocurrency trading hosts. Wiz states that TraderTraitor represents a type of threat activity rather than a specific group, with North Korean-supported entities Lazarus Group, APT38, BlueNoroff, and Stardust Chollima being typical masterminds behind TraderTraitor attacks.

This attack pattern has been evolving since 2020: initially using JavaScript to build malicious cryptocurrency applications, introducing open-source code exploits in 2023, and focusing on attacking exchange cloud infrastructure in 2024, including an intrusion incident that caused a $305 million loss to Japan's DMM Bitcoin. Experts point out that North Korean hackers are among the first to adopt AI technology to generate phishing emails and malicious scripts, with their attack teams potentially numbering in the thousands.