Multiple threat activity clusters with ties to North Korea (aka Democratic People’s Republic of Korea or DPRK) have been linked to attacks targeting organizations and individuals in the Web3 and cryptocurrency space.
“The focus on Web3 and cryptocurrency appears to be primarily financially motivated due to the heavy sanctions that have been placed on North Korea,” Google-owned Mandiant said in its M-Trends report for 2025 shared with The Hacker News.
“These activities aim to generate financial gains, reportedly funding North Korea’s weapons of mass destruction (WMD) program and other strategic assets.”
The cybersecurity firm said DPRK-nexus threat actors have developed custom tools written in a variety of languages such as Golang, C++, and Rust, and are capable of infecting Windows, Linux, and macOS operating systems.
At least three threat activity clusters it tracks as UNC1069, UNC4899, and UNC5342 have been found to target members of the cryptocurrency and blockchain-development community, particularly focusing on developers working on Web3-adjacent projects to obtain illicit access to cryptocurrency wallets and to the organizations that employ them.
A brief description of each of the threat actors is below –
- UNC1069 (Active since at least April 2018), which targets diverse industries for financial gain using social engineering ploys by sending fake meeting invites and posing as investors from reputable companies on Telegram to gain access to victims’ digital assets and cryptocurrency
- UNC4899 (Active since 2022), which is known for orchestrating job-themed campaigns that deliver malware as part of a supposed coding assignment and has previously staged supply chain compromises for financial gain (Overlaps with Jade Sleet, PUKCHONG, Slow Pisces, TraderTraitor, and UNC4899)
- UNC5342 (Active since January 2024), which is also known for employing job-related lures to trick developers into running malware-laced projects (Overlaps with Contagious Interview, DeceptiveDevelopment, DEV#POPPER, and Famous Chollima)
Another North Korean threat actor of note is UNC4736, which has singled out the blockchain industry by trojanizing trading software applications and has been attributed to a cascading supply chain attack on 3CX in early 2023.
Mandiant said it also identified a separate cluster of North Korean activity tracked as UNC3782 that conducts large-scale phishing campaigns targeting the cryptocurrency sector.
“In 2023, UNC3782 conducted phishing operations against TRON users and transferred more than $137 million USD worth of assets in a single day,” the company noted. “UNC3782 launched a campaign in 2024 to target Solana users and direct them to pages that contained cryptocurrency drainers.”
Cryptocurrency theft is one of the several means the DPRK has pursued to sidestep international sanctions. At least since 2022, an active threat cluster dubbed UNC5267 has dispatched thousands of its citizens to secure remote employment jobs at companies in the U.S., Europe, and Asia while primarily residing in China and Russia.
A major chunk of the IT workers are said to be affiliated with the 313 General Bureau of the Munitions Industry Department, which is responsible for the nuclear program in North Korea.
The North Korean IT workers, in addition to making use of stolen identities, have utilized completely fabricated personas to support their activities. This is also complemented by the use of real-time deepfake technology to create convincing synthetic identities during job interviews.
“This offers two key operational advantages. First, it allows a single operator to interview for the same position multiple times using different synthetic personas,” Palo Alto Networks Unit 42 researcher Evan Gordenker said.
“Second, it helps operatives avoid being identified and added to security bulletins and wanted notices. Combined, it helps DPRK IT workers enjoy enhanced operational security and decreased detectability.”
The DPRK IT worker scheme, which takes insider threats to a whole new level, is engineered to funnel back their salaries to Pyongyang to advance its strategic goals, maintain long-term access to victim networks, and even extort their employers.
“They have also intensified extortion campaigns against employers, and they’ve moved to conduct operations in corporate virtual desktops, networks, and servers,” Google Threat Intelligence Group (GTIG)’s Jamie Collier and Michael Barnhart said in a report last month.
“They now use their privileged access to steal data and enable cyberattacks, in addition to generating revenue for North Korea.”
In 2024, Mandiant said it identified a suspected DPRK IT worker using at least 12 personas while seeking employment in the U.S. and Europe, highlighting the effectiveness of turning to such unconventional methods to infiltrate organizations under false pretenses.
“In at least one instance, two false identities were considered for a job in a U.S. company, with one DPRK IT worker winning out over the other,” the threat intelligence firm pointed out. In another instance, “four suspected DPRK IT workers had been employed within a 12-month period at a single organization.”
