North Korean Hackers Exploit Freelance Platforms to Steal Millions in Cryptocurrency

A group of North Korean hackers known as TraderTraitor has exploited freelance job postings to gain access to the cloud systems of IT companies and steal cryptocurrencies. This information is detailed in reports from [Google Cloud](https://services.google.com/fh/files/misc/cloud_threat_horizons_report_h22025.pdf) and [Wiz](https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist).

According to the findings, the unit, also referred to as UNC4899, hacked two unnamed companies between July 2024 and January 2025. Posing as job applicants, the hackers contacted employees of these target organizations via social media and convinced them to execute malicious software on their work computers.

This allowed the attackers to access the cloud environments of Google Cloud and Amazon Web Services and identify hosts responsible for processing cryptocurrency transactions.

Both incidents resulted in the theft of «millions of dollars worth of cryptocurrency.»

Google has noted that the practice of employment impersonation has become prevalent among North Korean hackers.

«They often masquerade as recruiters, journalists, subject matter experts, or college professors when reaching out to potential victims,» experts remarked.

Cybercriminals are utilizing AI to craft “more convincing correspondence” and to write malicious scripts. By targeting cloud technologies, hacker groups can strike a wide array of targets, thereby increasing potential profits.

According to Wiz, TraderTraitor’s campaigns began as early as 2020, with exploits linked to the Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. In the first two years, the group managed to breach several organizations, including the [Ronin Network sidechain](https://forklog.com/news/ethereum-sajdchejn-ronin-podvergsya-hakerskoj-atake-zloumyshlennik-vyvel-kriptoaktivy-na-625-mln) of the Axie Infinity game, resulting in a theft of $620 million.

In 2024, the cybercriminals escalated their activities by sending fake resumes while applying for jobs at cryptocurrency exchanges. Experts attribute the hacks of [DMM Bitcoin](https://forklog.com/news/kriptobirzhu-dmm-bitcoin-vzlomali-na-305-mln), a Japanese platform, amounting to $305 million, and an attack on Bybit, causing losses of $1.5 billion to the TraderTraitor group.

TRM Labs estimates that North Korean-related groups [stole $1.6 billion](https://forklog.com/news/poteri-kriptorynka-iz-za-hakerov-za-polgoda-dostigli-2-1-mlrd) in the first half of 2025, which constitutes 70% of the total losses during that period.