North Korean Hackers Breached Crypto Cloud Systems Using Front-End Exploit, New Report Reveals

Ctrl-Alt-Intel published its findings, attributing the operation to North Korean state-affiliated threat actors with “medium confidence.” The campaign zeroed in on exchange software vendors, staking platforms, and crypto exchanges – the operational backbone of the digital asset industry.

How the Attack Unfolded

The attackers’ initial foothold came through React2Shell (CVE-2025-55182), a critical front-end vulnerability that opened the door to cloud environments. From there, the group moved laterally using stolen AWS credentials, hunting for private keys, source code, and credentials buried in Secrets Manager, Terraform files, and Kubernetes configurations. Docker images tied to ChainUp clients were also pulled. The attack infrastructure traces back to a server in South Korea (IP: 64.176.226[.]36) and the domain itemnania[.]com.

The operation fits a broader, escalating pattern. North Korean hackers pulled in a record $2.02 billion in stolen cryptocurrency across 2025 – a 51% jump over 2024 – even as the total number of attacks dropped by 74%. The math tells the story: fewer hits, but far more precise and lucrative ones.

Those funds aren’t sitting idle. Analysts estimate stolen crypto now accounts for roughly 13% of North Korea’s GDP, with proceeds flowing directly into its nuclear and ballistic missile development programs.

The Heists That Defined the Year

The scale of recent individual heists underscores how far the regime’s capabilities have advanced. The Lazarus Group – Pyongyang’s most prominent state-sponsored hacking unit – was behind the February 2025 theft of $1.5 billion from Bybit, the largest single crypto heist on record. The same group is suspected in a $30.4 million hit on Upbit later that year. DMM Bitcoin lost $308 million to a North Korea-attributed attack in December 2024.

What’s changing is the method. Cybersecurity analysts point to a deliberate pivot away from purely technical exploits toward social engineering. The “Contagious Interview” campaign has seen hackers impersonating recruiters to lure developers into executing malicious code under the guise of technical job assessments. Separately, North Korean operatives have been caught embedding themselves as IT workers inside crypto firms, gaining privileged internal access before pulling the plug.

What Comes Next

Dmitri Alperovitch, co-founder of CrowdStrike, has described DPRK-linked groups as more “creative and aggressive” than their Russian or Chinese counterparts – a characterization the Bybit heist did little to contradict.

Industry analysts aren’t expecting a slowdown. Despite measurable security improvements across decentralized finance, the consensus is that high-value, low-frequency attacks will continue through 2026. The incentive structure is simple: one successful breach can outperform dozens of smaller ones, and North Korea has demonstrated it knows how to find that breach.

The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.

The post North Korean Hackers Breached Crypto Cloud Systems Using Front-End Exploit, New Report Reveals appeared first on Coindoo.