- North Korea-linked group UNC4899 used LinkedIn and Telegram to target employees at two organizations with social engineering attacks.
- The attackers convinced employees to run malicious Docker containers, leading to breaches in Google Cloud and Amazon Web Services (AWS) environments.
- UNC4899, also known as TraderTraitor and other names, has stolen millions of dollars in cryptocurrency, with incidents involving major heists from platforms like Axie Infinity, DMM Bitcoin, and Bybit.
- The attackers bypassed security measures like multi-factor authentication and used stolen credentials and session cookies to access cloud resources and deploy Malware.
- Security researchers report a rise in malware-filled npm and PyPI packages tied to North Korean groups, targeting developers and critical infrastructure.
North Korea-linked Hacking group UNC4899 targeted employees at two companies by contacting them through LinkedIn and Telegram. They posed as offering freelance software development opportunities to trick victims into running malicious Docker containers on their computers.
Google’s Cloud Threat Horizons Report for H2 2025 states that UNC4899 leveraged social engineering to breach cloud platforms used by these companies. The attackers accessed both Google Cloud and Amazon Web Services (AWS) environments, installing malware to compromise company resources and steal cryptocurrency.
The group, which also goes by TraderTraitor, Jade Sleet, PUKCHONG, and Slow Pisces, has been linked to past incidents like the Axie Infinity hack in March 2022 ($625 million), DMM Bitcoin in May 2024 ($308 million), and Bybit in February 2025 ($1.4 billion). According to Wiz, the group favors attacks where it targets customers of cloud platforms rather than the platforms themselves.
The campaign frequently relies on luring targets with job offers or requests to collaborate on developer platforms like npm and GitHub. Attackers often upload malicious npm packages and send them to employees, eventually leading to code execution on internal networks. Google noted that UNC4899 used stolen credentials for cloud access, disabled and then re-enabled multi-factor authentication (MFA) to hide its activities, and used long-term keys and session cookies to manage access.
During these attacks, Google found the attackers used admin permissions to replace legitimate JavaScript files with malicious code, which redirected cryptocurrency transactions to wallets under the attackers’ control. Both victims lost several million dollars as a result.
The report also highlights that Sonatype recently blocked 234 unique malware npm and PyPI packages linked to North Korea’s Lazarus Group. Many of these packages disguised themselves as standard developer tools but contained spyware capable of stealing secrets, capturing user profiles, and setting up persistent access to sensitive systems.
Security firms have observed an increase in malware activity within open source ecosystem registries during the first half of 2025, suggesting a shift by North Korean threat actors toward embedding malicious code directly in widely used software libraries.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- American Eagle Shares Fall 2.25% After Sydney Sweeney Ad Backlash
- Trump Administration Challenges Basel Crypto Rules, Eyes US Influence
- CoinDCX Hit by $44M Hack After Engineer’s Laptop Compromised
- Algeria Expands Ban: All Crypto Activities Now Illegal
- Shiba Inu Poised for 500% Surge as Analysts Eye All-Time High
