North Korea-linked threat actor UNC4899 has targeted organizations using social engineering, cloud platform exploits, and malicious package uploads to steal cryptocurrency and compromise cloud environments. The group’s activities include significant cryptocurrency heists and malware distribution via open source packages. #UNC4899 #TraderTraitor #LazarusGroup #CryptocurrencyTheft #CloudAttacks
Keypoints
- UNC4899 has been active since 2020, targeting cryptocurrency and blockchain sectors.
- The group uses social engineering, malicious Docker containers, and harmful npm packages in their attacks.
- They exploited cloud environments like Google Cloud and AWS to plant backdoors and steal credentials.
- Major cryptocurrency thefts attributed to UNC4899 include Axie Infinity, DMM Bitcoin, and Bybit heists.
- Lazarus Group has been embedding malware into open source package registries to facilitate espionage and backdoors.
Read More: https://thehackernews.com/2025/07/n-korean-hackers-used-job-lures-cloud.html