Google Uncovers Cryptocurrency Thefts by North Korean ‘Freelancers’

A group of North Korean hackers, known as TraderTraitor, exploited freelance job listings to gain access to IT companies’ cloud systems and steal cryptocurrencies. This is evidenced by reports from Google Cloud and Wiz.

According to the data presented, the division, also known as UNC4899, hacked two unnamed companies between July 2024 and January 2025. Disguised as job seekers, the hackers contacted employees of targeted organizations through social networks and convinced them to run malicious software on work computers.

In this way, the perpetrators gained access to Google Cloud and Amazon Web Services environments and identified hosts responsible for processing crypto transactions.

Both incidents resulted in the theft of “cryptocurrency worth several million.”

Google emphasized that employment-disguised attacks have become widespread among North Korean hackers.

“They often pose as recruiters, journalists, subject matter experts, or college professors when contacting potential victims,” experts noted.

To create “more convincing letters” and write malicious scripts, cybercriminals employ AI. Targeting cloud technologies allows hacker groups to impact a wide range of targets, increasing potential revenue.

According to Wiz, TraderTraitor campaigns began as early as 2020, with structures like Lazarus Group, APT38, BlueNoroff, and Stardust Chollima behind the exploits. In the first two years, the group managed to hack several organizations, including the Ronin Network sidechain of the Axie Infinity game, amounting to $620 million.

In 2024, cybercriminals intensified their efforts by sending fake resumes as job applicants to bitcoin exchanges. Experts attribute the hack of the Japanese platform DMM Bitcoin for $305 million and the attack on Bybit with $1.5 billion in damages to the TraderTraitor groups.

According to TRM Labs, in the first half of 2025, North Korea-linked groups stole $1.6 billion, accounting for 70% of the total amount during this period.

Earlier, ForkLog reported that cybercriminals accelerated the pace of laundering crypto assets. The record transfer speed was 4 seconds.