North Korean hackers suspected to target crypto owners via clouds

Published: 5 August 2025
two men sitting on a cliff, surrounded by clouds, bitcoin as Sun, The tale of two thefts
By Cybernews.

Another crypto-stealing technique attributed to North Korean hackers has been found. They’re now using social engineering to compromise cloud solutions and steal crypto assets.

The latest example comes in Google Cloud’s H2 2025 Cloud Threat Horizons Report. It details how the UNC4899 hacker group – suspected "with high confidence" to be another North Korean state-sponsored threat actor – is exploiting cloud technologies. It's said to have been active since at least 2020 and is primarily targeting the crypto industry.

The report tells a "tale of two thefts" as UNC4899 is suspected to have affected one victim’s Google Cloud environment and another’s AWS environment between Q3 2024 and Q1 2025. Google's cybersecurity arm, Mandiant, responded to both incidents.

ADVERTISEMENT

The initial phases of the attacks were similar. The criminals contacted employees in both organizations via social media, pretending to be freelance software developers, and tricked them into executing malicious Docker containers on their workstations. This eventually helped the hackers obtain credential materials to access their cloud environments.

Meanwhile, as the victims’ environments differed, the next attack phases were also different. In a victim’s Google Cloud environment, the criminals managed to identify hosts critical to conducting crypto asset transactions and eventually managed to disable multi-factor authentication (MFA) to evade detection.

"Several days after the actors initially contacted the victim on Telegram, UNC4899 successfully withdrew several million’s worth of cryptocurrency," the report said.

lime color crypto coins in straight horizontal line, lime color 1, blue numbers
By Cybernews.

In a separate victim’s AWS environment, the criminals faced other challenges, such as identity and access management policy restrictions, that required them to use temporary credentials obtained through the platform’s security token service. However, after bypassing all the hurdles, the hackers also stole "several million dollars worth of cryptocurrency."

Google Cloud recommends fortifying identity with MFA and session management, and enhancing endpoint and cloud workload threat detection to defend an organization from threat actors trying to bypass MFA, exploit stolen session tokens/cookies, and exploit trust via social engineering.

Additionally, the report suggested that implementing granular segmentation and zero trust and securing software development and supply chains could help prevent threat actors from leveraging unsecured cloud credentials and manipulating code review processes and continuous integration (CI) and continuous delivery/deployment (CD) pipelines.

Konstancija Gasaityte profile Niamh Ancell BW Ernestas Naprys jurgita
Don’t miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT