The Cyber Arsenal: North Korea’s Silent Power

• Commentary Asia
  by Ludovica Favarotto
• whatsapp

On January 8, 2026, the FBI issued an alert condemning the evolving threat tactics of a North Korean state-sponsored cyber group. Known as Kimsuky, the entity has, over the past year, targeted think tanks, academic institutions, and public-sector organizations through spear-phishing campaigns. A few months earlier, the Multilateral Sanctions Monitoring Team (MSMT) - a mechanism established in October 2024 to monitor and report on the implementation of UN sanctions on the Democratic People's Republic of Korea (DPRK) - published a report highlighting the deep connections between several North Korean state entities and malicious cyber activities. These actions include cryptocurrency theft, fraudulent IT work schemes, and cyber espionage. It has been estimated that, over the past two years alone, DPRK hackers have stolen nearly $3 billion in cryptocurrency, providing the regime with a crucial source of economic support, especially after the COVID-19 border closure.

Over time, North Korea has evolved from an amateur player into one of the most capable and prolific state-sponsored cyber powers. Throughout the past decade, North Korea-linked entities have conducted some of the largest financial cyber heists in history, stealing billions of dollars in digital assets. The country has distinguished itself through the consistency and effectiveness of its cyber operations, which target government agencies, financial institutions, critical infrastructure, private companies, and cryptocurrency platforms worldwide. Much of Pyongyang's ability to withstand external pressure today stems from its capacity to "hack, recycle, and transform" vast quantities of data and digital assets into instruments of coercion.

This capability is underpinned by a powerful ecosystem of state-aligned hacker groups responsible for numerous overseas cyber operations. Pyongyang maintains a sophisticated cyberwarfare program composed of multiple Advanced Persistent Threat (APT) groups that report directly to state bodies such as the Reconnaissance General Bureau (RGB) and the Ministry of State Security. Several analysts argue that Kim Jong Un's regime views cyberwarfare as a "central pillar" of its military strategy, on par with its nuclear arsenal and intercontinental ballistic missiles (ICBMs). In support of this view, a South Korean intelligence official reported that Kim Jong Un once described the DPRK's cyber capabilities as an "all-purpose sword." Research by multiple intelligence firms further indicates that a significant portion of the revenue generated through such cyber operations is channeled into the country's nuclear program, allowing Pyongyang to circumvent sanctions that would otherwise constrain the development of weapons of mass destruction (WMD).

Lately, the regime's adoption of emerging technologies - such as artificial intelligence (AI) - to generate fake identities and facilitate fraudulent employment schemes, combined with increased collaboration with partners such as Russia and China and Southeast Asian countries, has further enhanced its cyber capabilities. As a result, North Korea now poses a growing threat not only to international security but also to the stability of the global economy, digital ecosystem, and critical infrastructures.

Inside North Korea's "Cyber Army"

North Korea's cyber activities have only relatively recently drawn sustained international attention, particularly following the 2014 cyberattack on Sony Pictures Entertainment. Cyberspace, however, has long been an integral component of the country's military strategy. Even under Kim Jong-il's leadership (1994-2011), cyberattacks were compared to "atomic bombs," reflecting the belief that modern conflicts are often decided before they begin, when one side gains more insight into the military and technical capabilities of its adversary. Most policymakers still struggle to accept that North Korea has become an "equal nation" in terms of cyber capabilities. Despite its reputation as an isolated and underdeveloped state, Pyongyang has implemented a comprehensive program to advance cyber technology and systematically cultivate human capital.

These capabilities have been strengthened by a high degree of coordination among the various branches of North Korea's military cyber apparatus. Multiple analyses suggest that the system features overlapping command structures and extensive sharing of tools and resources across different units. While there is no official data on the structure of the various APT groups, it has been estimated that the DPRK's "cyber army" has more than 6,000 specialists who mainly operate under the direction of Unit 180 of the national intelligence agency, the Reconnaissance General Bureau. Widely regarded as the core of North Korea's cyber strategy, it is responsible for talent recruitment, designs training programs, and coordinates hacking operations

Among the most prominent actors operating under the RGB is the Lazarus Group, which is widely considered responsible for some of the most notorious cyberattacks to date. These include the aforementioned 2014 Sony Pictures breach, the 2016 attacks on the SWIFT system, and the 2017 WannaCry ransomware campaign targeting Windows systems. Industry experts attribute a high level of technical sophistication to the group, enabling it to deploy a diverse array of malware and custom-built tools in highly targeted operations. Closely associated with Lazarus is APT38, a group that primarily targets banks, financial institutions, cryptocurrency platforms, and the SWIFT system worldwide. According to an FBI analysis, a joint operation conducted by these two entities in 2022 resulted in the theft of $620 million from the Ronin Bridge and an additional $100 million from the Harmony Horizon Bridge.

Beyond the RGB, other North Korean state entities are active in the cyber domain. The Ministry of State Security focuses primarily on espionage campaigns against high-profile targets, while the United Front Department (UFD) concentrates on influence and propaganda operations in support of the regime's strategic objectives.

How North Korea Launders Its Way Around Sanctions

Over the years, North Korean cyber operations have steadily deepened and diversified, evolving from relatively simple phishing and espionage campaigns into large-scale crypto thefts and increasingly sophisticated hacking techniques.

From 2014 onward, a discernible shift emerged, as DPRK moved away from sporadic and rudimentary attacks toward a model of "strategic coercion" aimed at both espionage and financial gain. During this phase, operations targeted foreign private companies - most notably the 2014 Sony Pictures attack - as well as critical infrastructure, such as the 2014 breach of Korea Hydro & Nuclear Power (KHNP), and the global financial system through the 2015-2017 SWIFT heists.

By 2017, cyber-enabled theft was increasingly concentrated on cryptocurrencies, due to a struggling domestic economy and escalating international sanctions. This was perceived as a market characterized by weak security standards, significant liquidity, and a degree of confidentiality, making digital assets particularly well-suited for generating revenue beyond the reach of conventional sanctions. Within just a few years, cryptocurrency theft became central to Pyongyang's (economic) survival strategy. Indeed, through stolen digital assets, the regime was able to create a kind of "sovereign wealth reserve", which functions primarily independently of the conventional dollar-based banking system. Estimates suggest that between 2011 and 2020, North Korean hackers stole more than $1 billion in cryptocurrency, followed by an additional $400 million in 2021 alone. An unclassified report from the U.S. Office of the Director of National Intelligence (ODNI) further noted that proceeds from cybercrime in that year were directly used to finance the regime's agenda, particularly its nuclear and missile programs.

In the early 2020s, Pyongyang's operations expanded into what can be described as "industrial-scale cryptocurrency theft", capable of targeting entire blockchain ecosystems. According to multiple open-source assessments, between 2022 and 2024, North Korean cyber groups allegedly stole more than $1 billion annually, with estimated losses reaching $1.7 billion in 2022, $1 billion in 2023, and over $1.3 billion in 2024. The latter year accounted for the largest share of global cryptocurrency losses attributed to ransomware attacks. Additional confirmation of the regime's sustained activity came from South Korea's National Intelligence Service (NIS), which reported in December 2022 that state-sponsored North Korean cyber actors had stolen approximately $1.2 billion in crypto and other virtual assets since 2017. The NIS reported that more than half of these assets - around $626 million - were stolen in 2022 alone, including approximately $78 million diverted directly from South Korean targets. In February 2025, a North Korean APT group allegedly hacked the Dubai-based cryptocurrency exchange platform Bybit, stealing nearly $1.5 billion in digital currencies. Moreover, a report by the cybersecurity firm Trellix indicated that DPRK-affiliated APT groups were responsible for 18.2% of all nation-state cyberattacks recorded between April and September 2025.

MSMT Report: Tracking DPRK Cyber Operations

The MSMT report, published last October, revealed that North Korea has used virtual assets as a means of payment for transactions involving weapons, related equipment, and raw materials such as gold and copper - all activities prohibited under United Nations Security Council resolutions. According to the analysis conducted by countries participating in the MSMT[1] and coordinated with U.S. cybersecurity firms Mandiant and Chainalysis, North Korea reportedly stole virtual assets worth $2.84 billion between January 2024 and September 2025. In the first nine months of 2025 alone, an estimated $1.65 billion was stolen. In 2024, thefts amounted to approximately $1.19 billion, representing nearly one-third of the country's total foreign currency revenue for that year.

The report also found that the regime has stolen sensitive technological information in military, scientific, and energy-related fields from a set of countries, including the United States, South Korea, China, and the United Kingdom. One notable example is the Andariel group's attack on the South Korean defense industry's supply chain, which resulted in the theft of classified information. Beyond espionage, North Korea has increasingly monetized these operations by selling stolen data and network access on black markets and other illicit platforms. According to the 138-page report, several APT groups attempted in 2024 to sell confidential information obtained from organizations such as NASA, the UAE government, and a Spanish healthcare group to a Russian criminal group known as Stormous.

Since stolen cryptocurrency cannot be used directly without being detected by international monitoring systems, the funds must first be "cleaned" to conceal their origin. This process, known as money laundering, involves transferring assets through intermediaries and technical tools designed to obscure transaction trails. Once laundered, DPRK agents based overseas convert the funds into cash. Currently, the regime can rely on networks of North Korean agents and foreign facilitators operating in countries such as China, Russia, Argentina, Cambodia, Vietnam, and the United Arab Emirates. These networks play a critical role in converting stolen digital assets into foreign currency, which is then used to finance the country's WMD and ICBM programs. The report highlights that operators based in Cambodia are, in particular, linked to criminal organizations associated with a major Cambodian financial services company, the Huione Group.

Additionally, the MSMT report has estimated that between 1,000 and 2,000 North Korean IT workers are currently stationed abroad; the majority - between 1,000 and 1,500 - are believed to be based in China. However, participating MSMT states have identified plans by Pyongyang to deploy up to 40,000 workers to Russia, including a contingent of IT specialists. As a matter of fact, North Korean APTs widely collaborate with Russian cybercriminal networks, benefiting from enhanced anonymity and indirect access to money-laundering and cash-out services. According to the analysis, these actors partnered with a Russian broker to withdraw at least $60 million in cryptocurrency, including funds linked to the Bybit attack.

AI-Enhanced Cyber Operations and the Next Frontier

Advances in generative artificial intelligence have significantly enhanced North Korean cyber operations. Over the past two years, the regime has adopted AI tools to strengthen its cybercrime capabilities. Large language model (LLM)-based chatbots, for example, can automate much of the hacking process, generating personalized phishing emails, creating fake résumés, and improving malware code.

In February 2025, OpenAI reported that North Korean APT groups linked to CryptoCore were using its tools. According to the American firm, these groups primarily sought information on troubleshooting software, cyberattack techniques, and cryptography. Another notable example is the North Korean group Konni. During the "Poseidon operation", the group exploited Naver and Google search ads to spread malware with the help of AI tools. Konni also launched a phishing campaign via PowerShell targeting developers and engineering teams in the blockchain industry. A report by the Institute for National Security Strategy (INSS) published in November 2025 also found that AI is accelerating cryptocurrency theft operations. Drawing on publicly available North Korean research papers from 2025, the study indicates that partnerships with Russia and China have played a key role in speeding up AI adoption. In July, Choson Sinbo reported that Pyongyang sent researchers and students specializing in this field to Russia and other countries. Additionally, the INSS report highlighted that national research centers are conducting studies on implementing AI for cyberspace-related purposes, including facial recognition, multi-person tracking algorithms, and voice synthesis technology for mobile devices.

Over the past decade, North Korea has achieved an unprecedented transformation. Once labeled a "hermit state," it has emerged as a global cyber power and a major actor in cryptocurrency theft. This rise has been fueled by a strategic program to develop domestic talent, the support of international partners, and the creation of a global network of overseas IT workforce. The integration of emerging technologies, particularly AI, has further strengthened this capability. The absence of a clear stance by governments and international institutions has created a vacuum that Pyongyang has exploited to bypass sanctions, accumulate wealth and sensitive data, and expand its cyber capabilities. As a result, Kim Jong Un's regime is now a threat not only because of its nuclear arsenal but also due to its cyber power - the backbone of its influence and resilience in the 21^st century.

[1] The 11 countries taking part in the MSMT mechanism (also known as "Participating States") are the following: Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, the Republic of Korea (ROK), the United Kingdom, and the United States.