• Cyber Syrup
  • Posts
  • North Korean Cyber Threats Intensify Against Web3 and Cryptocurrency Sectors

North Korean Cyber Threats Intensify Against Web3 and Cryptocurrency Sectors

North Korean state-sponsored hacking groups have increasingly turned their attention toward the Web3 and cryptocurrency ecosystem

April 24, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

North Korean Cyber Threats Intensify Against Web3 and Cryptocurrency Sectors

North Korean state-sponsored hacking groups have increasingly turned their attention toward the Web3 and cryptocurrency ecosystem, employing sophisticated social engineering and malware techniques to generate financial gains that allegedly support the country's weapons programs and strategic objectives.

In its M-Trends 2025 report, cybersecurity firm Mandiant, owned by Google, highlighted multiple threat clusters tied to the Democratic People’s Republic of Korea (DPRK), noting that their targeting of the cryptocurrency space is primarily financially motivated due to enduring international sanctions.

A Targeted Cyber Campaign for Strategic Gain

The DPRK has leveraged its cyber capabilities to sidestep sanctions and raise capital. These activities are believed to fund North Korea's weapons of mass destruction (WMD) programs and other national interests.

Mandiant has identified several DPRK-affiliated cyber units, each with distinct tactics, techniques, and procedures:

Key Threat Clusters

  • UNC1069 (active since 2018): Uses fake investor personas on platforms like Telegram to deliver malware under the guise of press inquiries or investment opportunities. This group employs social engineering tactics to access digital wallets and credentials.

  • UNC4899 (active since 2022): Notable for job-themed malware campaigns where targets are asked to complete infected coding challenges. The group has been linked to supply chain compromises and overlaps with groups such as TraderTraitor and Jade Sleet.

  • UNC5342 (active since December 2022): Another cluster using fake job opportunities to trick developers into running malware. This group overlaps with operations such as Contagious Interview and DeceptiveDevelopment.

  • UNC4736: Infamous for trojanizing trading apps and its role in the 2023 supply chain attack on 3CX.

  • UNC3782: Conducts large-scale phishing operations targeting TRON and Solana users. In 2023, they transferred $137 million in assets in a single day, and continue deploying cryptocurrency drainers through malicious websites.

Malware and Tool Diversity

The DPRK threat actors have developed custom malware using languages such as Golang, C++, and Rust, with the capability to target Windows, Linux, and macOS platforms. This multi-platform capability enables them to infiltrate a diverse set of environments, from individual developers' machines to enterprise blockchain infrastructure.

Insider Threats via Fake IT Workers

Beyond phishing and malware, North Korea has deployed a strategic human intelligence operation by infiltrating global organizations through fake remote employees.

The UNC5267 Cluster

Since at least 2022, a cluster known as UNC5267 has sent thousands of North Korean nationals to secure remote tech jobs in the U.S., Europe, and Asia—while physically operating from China and Russia. Many of these workers are linked to the 313 General Bureau, which oversees North Korea’s nuclear development programs.

These operatives use:

  • Stolen and synthetic identities

  • Real-time deepfake video avatars for job interviews

  • Multiple personas to increase employment chances

“This offers two key operational advantages,” said Evan Gordenker of Palo Alto Networks Unit 42. “It allows multiple applications using different identities and avoids detection by security watchlists.”

Multi-Layered Risk: Espionage, Theft, and Extortion

Once employed, DPRK operatives use their access to:

  • Steal intellectual property and sensitive data

  • Divert salaries to Pyongyang

  • Conduct cyberattacks from inside trusted networks

  • Engage in extortion tactics against employers

  • Operate inside corporate desktops and servers

This blurs the lines between insider threats and advanced persistent threat (APT) campaigns.

Mandiant highlighted a case in which 12 fake personas were traced back to a single DPRK IT worker attempting to gain employment in the U.S. and Europe. In one organization, four suspected DPRK operatives were hired in a single year, underlining the effectiveness of this unconventional infiltration strategy.

Conclusion: Evolving Tactics, Expanding Threats

The cybersecurity landscape continues to shift as state-sponsored actors blend technical exploits with human-centric deception. In the case of DPRK, the convergence of phishing, malware, and fake job candidates represents a growing threat to the cryptocurrency and Web3 ecosystem.

Organizations, especially in crypto, fintech, and blockchain development, must adopt multi-layered security strategies that include:

  • Strong identity verification for remote employees

  • Monitoring for social engineering campaigns

  • Limiting privileged access

  • Behavioral analytics to detect anomalies

As Mandiant and others have warned, the era of “human-powered cybercrime” has arrived, and security must evolve to meet it.