North Korean Hackers Increasingly Target Web3 and Crypto with Sophisticated Tactics
Do Son 
Numerous hacker groups linked to North Korea have once again drawn global attention following a series of targeted attacks against developers and companies operating within the Web3 and cryptocurrency sectors. According to a new report by Mandiant, the core motive remains unchanged—financial gain and the circumvention of international sanctions. However, the tactics employed have grown increasingly sophisticated and expansive in scale.
The primary objective of these operations is to secure a steady influx of foreign currency to fund the regime’s strategic initiatives, including its nuclear weapons program. To achieve this, the attackers wield a diverse arsenal of tools, deploying malware written in Golang, C++, and Rust—capable of compromising systems running Windows, Linux, and macOS. Their targets range from individual developers to entire organizations engaged in blockchain development.
Mandiant has identified at least three active threat clusters: UNC1069, UNC4899, and UNC5342. The first, UNC1069, has operated since 2018 and specializes in social engineering—crafting fake meeting invitations and investor correspondence via Telegram. The second, UNC4899, emerged in 2022 and lures victims with fraudulent job offers and assessments, embedding malicious code within development infrastructure. The third, UNC5342, also leverages employment-themed lures, disguising malware as legitimate project files. All three groups aggressively pursue access to cryptocurrency wallets and critical enterprise systems.
Of particular interest is UNC4736, which targeted the blockchain sector by distributing trojanized trading applications, sparking a cascading breach that affected the company 3CX in 2023. Another actor, UNC3782, conducted a sweeping phishing campaign against TRON users in 2023, stealing over $137 million in assets within a single day. In 2024, it shifted focus to Solana users, deploying malicious “drain” pages designed to exfiltrate funds.
Yet the threat extends beyond direct cyberattacks. Since 2022, a cluster known as UNC5267 has been actively embedding thousands of North Korean IT professionals within international companies—primarily through outsourced contracts in the U.S., Europe, and Asia. Though many of these operatives reside in China, they fabricate identities and leverage deepfake technologies to successfully pass job interviews. According to Palo Alto Networks, a single persona may be used in dozens of job applications, each with different aliases and appearances.
These operatives, directly affiliated with North Korea’s General Bureau 313 under the Ministry of Armaments, yield a dual advantage: they draw salaries, which are funneled back to Pyongyang, and they provide access to internal corporate infrastructure—access that can be exploited for espionage, extortion, and sabotage.
One documented case in 2024 revealed a single North Korean operative assuming twelve distinct identities in attempts to secure employment across American and European firms. In another incident, four covert employees from the DPRK were hired by the same organization within a single year.
According to Google’s Threat Intelligence Group (GTIG), such schemes dramatically amplify the capabilities of North Korean threat actors, transforming ordinary cyberattacks into protracted campaigns marked by insider access and direct financial pipelines. While previous concerns centered on malware, the focus has now shifted to human-centric intrusions—silent, deliberate, and almost imperceptible.
