Recent reports from Mandiant, a cybersecurity firm owned by Google, have revealed that multiple North Korean (DPRK)-linked threat actors are targeting the Web3 and cryptocurrency sectors. These attacks are primarily financially motivated, aiming to circumvent international sanctions imposed on North Korea. The goal is to generate funds that are reportedly directed towards the country’s weapons of mass destruction (WMD) program and other strategic initiatives.
Financial Motivations Behind North Korean Cyber Activities
The rise in cyberattacks targeting Web3 and cryptocurrency is no coincidence. Mandiant’s M-Trends report for 2025 details how these activities are a direct response to the financial sanctions placed on North Korea. These sanctions have severely impacted the country’s access to international financial systems, pushing the DPRK to turn to illicit digital means of funding its agenda. By infiltrating cryptocurrency wallets and blockchain-development communities, DPRK actors are stealing millions of dollars in cryptocurrency to fuel their strategic objectives.
Mandiant tracked multiple threat activity clusters linked to the DPRK, including UNC1069, UNC4899, UNC5342, and others. These groups target a range of Web3-related entities, from cryptocurrency developers to organizations involved in blockchain technology. The North Korean groups are particularly adept at creating custom tools in programming languages like Golang, C++, and Rust, capable of infecting systems running Windows, Linux, and macOS.
Overview of Notable DPRK Threat Actors
Mandiant has provided insights into several North Korean threat actor groups, each with distinct methods and operational tactics:
UNC1069 (Active since April 2018): This group targets various industries, using social engineering tactics to gain access to digital assets. They send fake meeting invites and impersonate investors on platforms like Telegram, aiming to infiltrate cryptocurrency wallets.
UNC4899 (Active since 2022): Known for launching job-themed malware campaigns, UNC4899 has previously orchestrated supply chain attacks for financial gain. They often trick victims into running malware under the guise of coding assignments.
UNC5342 (Active since December 2022): Similar to UNC4899, UNC5342 uses job-related lures to entice Web3 developers into running malware-infected projects. This group overlaps with other cyber espionage and supply chain threat actors, such as Contagious Interview and DeceptiveDevelopment.
In addition to these clusters, Mandiant also tracks UNC4736, which specializes in trojanizing trading software applications and has been linked to a significant supply chain attack on 3CX in early 2023.
One of the most significant threats identified by Mandiant is UNC3782, a group that specializes in large-scale phishing campaigns aimed at the cryptocurrency sector. In 2023, the group conducted a phishing operation against TRON users, successfully transferring more than $137 million USD in assets within a single day. In 2024, UNC3782 targeted Solana users, directing them to malicious pages designed to steal cryptocurrency.
These targeted phishing attacks demonstrate the increasing sophistication of North Korean threat actors in exploiting cryptocurrency platforms. As cryptocurrencies become a more widely accepted form of payment, they present a lucrative target for cybercriminals looking to bypass traditional financial systems.
DPRK IT Worker Scheme: A New Form of Insider Threat
One of the more unusual and concerning tactics used by North Korea involves the recruitment of IT workers to infiltrate organizations worldwide. Mandiant identified a network of DPRK IT workers, many of whom are stationed in China and Russia but work remotely for companies in the U.S., Europe, and Asia. These workers use stolen identities or fabricated personas to apply for jobs in the tech sector, blending into organizations under false pretenses.
In some cases, North Korean operatives have used deepfake technology to create convincing synthetic identities during job interviews. This allows them to engage in multiple interviews using different personas, enhancing their operational security by reducing the risk of detection. This tactic has provided DPRK operatives with privileged access to networks, enabling them to steal sensitive data and carry out cyberattacks, all while funneling back their salaries to Pyongyang to support the country’s strategic objectives.
The IT worker scheme is an innovative form of insider threat, combining traditional espionage tactics with modern technology to infiltrate organizations with minimal risk of exposure. These operatives have been known to work across multiple companies within a short period, gaining long-term access to networks and using their positions to extract value from organizations.
North Korean Cyber Extortion and Long-Term Infiltration
In addition to theft, North Korean threat actors have escalated extortion campaigns against employers. They now have the ability to conduct operations on corporate virtual desktops, networks, and servers, using their privileged access to steal data and enable cyberattacks. These tactics are designed not only to fund the country’s strategic objectives but also to generate revenue through extortion and data theft.
The scale of these operations has only increased in recent years. In 2024, Mandiant identified a DPRK IT worker using 12 separate personas while seeking employment in the U.S. and Europe. In one case, a worker used two false identities to apply for the same job at a U.S. company, with one persona ultimately securing the position.
North Korean-linked cyber threats continue to evolve, with threat actors employing a mix of traditional and modern tactics to infiltrate the cryptocurrency and Web3 sectors. The DPRK’s focus on cryptocurrency theft and phishing campaigns underscores the financial motivations behind these attacks, which are aimed at bypassing international sanctions. Meanwhile, the IT worker scheme presents a new dimension to North Korean cyber operations, allowing them to infiltrate organizations through insider threats under false pretenses.
As these threats intensify, organizations in the cryptocurrency space, as well as industries reliant on blockchain technology, must remain vigilant against these evolving tactics to protect sensitive assets and ensure long-term security.
