Security researchers say they have high confidence that North Korean hackers were behind a recent intrusion at enterprise software company JumpCloud because of a mistake the hackers made.
Mandiant, which is assisting one of JumpCloud’s affected customers, attributed the breach to hackers working for North Korea’s Reconnaissance General Bureau, or RGB, a hacking unit that targets cryptocurrency companies and steals passwords from executives and security teams. North Korea has long used crypto thefts to fund its sanctioned nuclear weapons program.
In a blog post, Mandiant said the hacking unit, which it calls UNC4899 (since it’s a new, unclassified threat group), mistakenly exposed their real-world IP addresses. The North Korean hackers would often use commercial VPN services to mask their IP addresses, but on “many occasions” the VPNs failed to work or the hackers did not use them when accessing the victim’s network, exposing their access from Pyongyang.
Mandiant said its evidence supports that this was “an OPSEC slip up,” referring to operational security — the way in which hackers try to prevent information about their activity leaking as part of their hacking campaigns. The researchers said they also uncovered additional infrastructure used in this intrusion that was previously used by hacks attributed to North Korea.
“North Korea-nexus threat actors continue to improve their cyber offensive capabilities in order to steal cryptocurrency. Over the past year, we’ve seen them conduct multiple supply chain attacks, poison legitimate software, and develop and deploy custom malware onto MacOS systems,” said Mandiant’s CTO Charles Carmakal. “They ultimately want to compromise companies with cryptocurrency and they’ve found creative paths to get there. But they also make mistakes that have helped us attribute several intrusions to them.”
SentinelOne and CrowdStrike also confirmed North Korea was behind the JumpCloud intrusion.
JumpCloud said in a short post last week that fewer than five of its corporate customers and less than 10 devices were targeted by the North Korean hacking campaign. JumpCloud reset its customer API keys after reporting an intrusion in June. JumpCloud has more than 200,000 enterprise customers, including GoFundMe, ClassPass, and Foursquare.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Spyhide stalkerware is spying on tens of thousands of phones
