Michaela
Summary: How did North Korean hackers infiltrate cloud environments to steal crypto?
They posed as freelance developers on platforms like Telegram and LinkedIn to trick employees into running malicious software. This gave them access to sensitive credentials and allowed them to breach cloud systems like Google Cloud and AWS.
According to Google Cloud’s H2 2025 Cloud Threat Horizons Report, the company’s Threat Intelligence team is monitoring UNC4899, a North Korea-linked hacking group accused of breaching two organizations after initiating contact with employees through social media platforms.
“Active since at least 2020, UNC4899 primarily targets the cryptocurrency and blockchain industries and has demonstrated a sophisticated capability to execute complex supply chain compromises,” the report stated.
The report noted that between Q3 2024 and Q1 2025, cybersecurity firm Mandiant responded to two separate incidents linked to UNC4899, impacting one organization’s Google Cloud environment and another’s AWS environment. While the initial and final stages of the intrusions shared common tactics, the methods used during intermediate phases varied, likely reflecting differences in the victims’ system architectures.
The report further details that in the initial stage of these attacks, the hackers established contact with victims via social media platforms, one through Telegram and the other through LinkedIn, posing as freelance software development recruiters.
Targeted employees were then unknowingly directed to run malicious Docker containers on their workstations. This action triggered the deployment of malware, including downloaders like GLASSCANNON and secondary payloads such as the PLOTTWIST and MAZEWIRE backdoors, ultimately enabling the attackers to connect to their command-and-control (C2) servers.
“In both cases, UNC4899 conducted several internal reconnaissance activities on the victims’ hosts and connected environments, before obtaining credential materials they used to pivot to the victims’ cloud environments,” the report noted.
North Korean hackers have increasingly relied on fake job offers to infiltrate companies. In July, the U.S. Treasury sanctioned Song Kum Hyok for allegedly running a scheme that placed disguised North Korean IT workers in U.S. firms to generate revenue for the Democratic People’s Republic of Korea (DPRK). These workers, often based in China or Russia, used false identities and nationalities, with employers unaware of the deception.
North Korean Hackers Emphasize the Need for Decentralization
As global threats push crypto platforms to tighten security, this is a powerful reminder of why decentralized, community-driven ecosystems like Shibarium matter. Unlike traditional setups vulnerable to centralized exploits, Shibarium’s open infrastructure empowers developers to build with transparency, resilience, and trust at the core.
Rather than relying on a single point of failure, Shibarium distributes control across a network of validators, developers, and community participants. This decentralization not only makes it harder for bad actors, like state-backed hacking groups, to gain footholds but also allows for faster detection and response when vulnerabilities do arise.
As the crypto space confronts rising cyber risks, ecosystems like Shibarium emphasize a different path forward, one rooted in decentralization, transparency, and a shared commitment to building tools that serve, not exploit, the people.
Read More
- North Korean Threat Actors Use NimDoor Malware to Target Apple Devices
- North Korea’s Lazarus Group Linked to New $3.2M Crypto Heist
- North Korean Hackers Steal Crypto Billions While Posing as VCs
Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.
