North Korean Hackers Drain $137 Million in TRON Cryptocurrency Heist

It seems North Korean hackers are increasingly targeting the Web3 and cryptocurrency world. Multiple groups with ties to North Korea (aka the Democratic People's Republic of Korea, or DPRK) are actively launching attacks against organizations and individuals in this space.

Why the focus on crypto and Web3? According to Mandiant, a Google-owned cybersecurity firm, it's all about the money. In their M-Trends report for 2025, they told The Hacker News that the heavy sanctions against North Korea are driving them to seek financial gains through these cyberattacks.

"These activities aim to generate financial gains, reportedly funding North Korea's weapons of mass destruction (WMD) program and other strategic assets," Mandiant stated.

These DPRK-linked threat actors aren't using off-the-shelf tools either. They've developed their own custom malware, written in languages like Golang, C++, and Rust, capable of infecting Windows, Linux, and macOS systems. That's some serious technical capability!

Mandiant has identified at least three active groups – UNC1069, UNC4899, and UNC5342 – specifically targeting the crypto and blockchain development community. They're going after developers working on Web3 projects, trying to steal cryptocurrency wallets and compromise the organizations employing them.

A Quick Look at the Culprits:

• UNC1069: Active since at least 2018, this group uses social engineering tactics, like fake meeting invites and posing as investors on Telegram, to steal digital assets.
• UNC4899: This group, around since 2022, is known for job-themed campaigns, delivering malware through fake coding assignments. They've also been involved in supply chain attacks. (They might also be known as Jade Sleet, PUKCHONG, Slow Pisces, TraderTraitor, and UNC4899)
• UNC5342: Similar to UNC4899, this group uses job-related lures to trick developers into running infected projects. (Also possibly known as Contagious Interview, DeceptiveDevelopment, DEV#POPPER, and Famous Chollima)

Another group to watch out for is UNC4736. They've targeted the blockchain industry by trojanizing trading software and were linked to the 3CX supply chain attack in early 2023.

Mandiant also flagged UNC3782, another North Korean group, for conducting large-scale phishing campaigns targeting the cryptocurrency sector.

“In 2023, UNC3782 conducted phishing operations against TRON users and transferred more than $137 million USD worth of assets in a single day,” the company revealed. “UNC3782 launched a campaign in 2024 to target Solana users and direct them to pages that contained cryptocurrency drainers."

Stealing cryptocurrency is just one piece of the puzzle. North Korea is using several methods to evade international sanctions. For example, UNC5267 has been sending thousands of North Korean citizens to work remotely at companies in the U.S., Europe, and Asia since at least 2022, while they primarily reside in China and Russia.

Many of these IT workers are reportedly connected to the 313 General Bureau of the Munitions Industry Department, the group responsible for North Korea's nuclear program. Think about that!

These North Korean IT workers are using stolen identities and even completely fabricated personas to get these jobs. They're even using real-time deepfake technology to create convincing synthetic identities during job interviews.

As Evan Gordenker, a researcher at Palo Alto Networks Unit 42, explained, "This offers two key operational advantages. First, it allows a single operator to interview for the same position multiple times using different synthetic personas. Second, it helps operatives avoid being identified and added to security bulletins and wanted notices...it helps DPRK IT workers enjoy enhanced operational security and decreased detectability."

This DPRK IT worker scheme is essentially an insider threat on steroids. It's designed to funnel salaries back to Pyongyang, maintain long-term access to victim networks, and even extort employers.

Jamie Collier and Michael Barnhart from Google Threat Intelligence Group (GTIG) said, "They have also intensified extortion campaigns against employers, and they've moved to conduct operations in corporate virtual desktops, networks, and servers. They now use their privileged access to steal data and enable cyberattacks, in addition to generating revenue for North Korea."

In 2024 alone, Mandiant identified a suspected DPRK IT worker using at least 12 different personas to apply for jobs in the U.S. and Europe. That shows just how effective (and persistent) this infiltration strategy is.

According to Mandiant, in one case, "two false identities were considered for a job in a U.S. company, with one DPRK IT worker winning out over the other." In another instance, "four suspected DPRK IT workers had been employed within a 12-month period at a single organization." Scary stuff!