Since the termination of the United Nations (UN) Panel of Experts in April 2024 due to Russia’s veto, the landscape of Democratic People’s Republic of Korea (DPRK) sanctions enforcement has significantly weakened, enabling North Korea to intensify its illicit revenue generation through sophisticated cyber operations. This report details the evolution and persistence of DPRK cyber activities, focusing on prominent case studies and emerging patterns of sanctions violations that have come to light since April 2024, particularly in the context of cyber operations. North Korea’s cyber efforts are a critical strategic asset, primarily aimed at funding its weapons of mass destruction (WMD) and ballistic missile programs and circumventing international sanctions.
2024 was a record year for North Korean cybercrime, with hackers stealing $1.34 billion across 47 incidents, representing 61% of the total amount stolen globally as per the public reporting. The first half of 2025 has already surpassed previous records, with over $2 billion in cryptocurrency stolen, of which North Korean hackers are responsible for approximately $1.5 billion. These figures highlight the urgent need for robust and coordinated international countermeasures. DPRK’s targeting of defense companies for industrial theft is a key driver for acquiring critical military technology, with IT worker infiltration playing a significant and evolving role in both financial gains and espionage.
The UN Panel of Experts, established under the UN Security Council Resolution 1718 (2006) to monitor sanctions against North Korea, had its mandate terminated in April 2024 due to a Russian veto. This decision marked a significant blow to international efforts to monitor and address North Korea’s nuclear and military ambitions, leading to a visible weakening of sanctions enforcement. In this void, North Korea has continued, and in many instances escalated, its sanctions violations, with a particular emphasis on illicit cyber activities.
North Korea’s cyber capabilities are central to its statecraft, serving as an “unexpected economic lifeline” by generating billions in revenue. This report, prepared as an update for cyber threat intelligence, will detail key incidents and tactics employed by DPRK cyber actors primarily since April 2024, to highlight the persistent and adaptive nature of this threat.
Escalating Crypto Heists
DPRK cyberattacks are increasing in frequency and scale, with incidents exceeding $50M and $100M now commonplace. Bybit and DMM Bitcoin illustrate Pyongyang’s growing speed and precision in large-scale exploits.
Next-Generation Laundering
North Korean actors rapidly disperse stolen funds across multiple blockchains, leveraging cross-chain bridges and high-volume transfers. This “flood the zone” strategy replaces mixers and aims to overwhelm compliance and investigative efforts.
IT Worker Infiltration as Core Sanctions Evasion
Thousands of DPRK operatives secure global employment under false identities, particularly in tech, crypto, and defense sectors. These infiltrations generate revenue, plant malware, and exfiltrate sensitive data while increasingly integrating AI tools to enhance deception and cyber operations. The emergence of “Research Center 227” highlights AI’s central role in future DPRK operations.
Targeting Defense Technology
North Korea systematically seeks military technologies, including nuclear, aerospace, naval, and advanced manufacturing, through both direct hacks and insider infiltration, reinforcing the dual financial–espionage value of IT worker schemes.
Strategic Alignment with Russia
The June 2024 defense pact deepens cooperation with Moscow, enabling DPRK to leverage Russian infrastructure for laundering, recruitment, and operations. This alignment raises the risk of combined DPRK financial cybercrime with Russian destructive capabilities.
Operational Shifts Post-Summit
Following a record-breaking first half of 2024, stolen amounts fell by approximately 54% after July 2024. The slowdown coincided with the Putin–Kim summit, suggesting possible resource diversion toward the Ukraine war or recalibration of cyber priorities.
Fragmented International Response
The Multilateral Sanctions Monitoring Team (MSMT, Feb 2025) marked a coordinated response by 11 nations, with U.S.–Japan–ROK cooperation intensifying. Yet gaps remain due to China and Russia’s absence, regulatory blind spots in crypto, and the DPRK’s large, unlaundered crypto reserves.
North Korean hackers, notably groups like Lazarus Group (also known as APT38, BlueNoroff, Stardust Chollima, HIDDEN COBRA, TEMP.Hermit), Andariel (APT45, Stonefly group, Silent Chollima, Onyx Fleet, Jumpy Pisces), and Kimsuky (APT43, TEMP.Firework, Emerald Sleet, Velvet Chollima), are renowned for their sophisticated and relentless tradecraft. U.S. and international officials consistently assess that Pyongyang uses stolen cryptocurrency to finance its WMD and ballistic missile programs. The former U.S. Deputy National Security Advisor for Cyber and Emerging Technology noted that more than half of North Korea’s nuclear weapons funding comes from illicit cyber operations.
The scale of cryptocurrency theft attributed to North Korea has been substantial and continues to grow:
North Korean cyber actors have proven agile in adapting their approaches, techniques, and tactics, compromising both high-value and smaller-scale crypto firms.
Since the dissolution of the UN Panel of Experts in April 2024, several significant incidents and persistent patterns of DPRK cyber-enabled sanctions violations have been documented:
1. The Bybit Hack (February 2025): This event stands as the largest cryptocurrency theft in history, with North Korean hackers stealing approximately $1.5 billion in Ethereum from the Dubai-based crypto platform Bybit on or about February 21, 2025.
Attribution: The FBI attributed this massive heist to North Korean actors, codenaming the activity "TraderTraitor". The Lazarus Group was specifically linked to the attack.
Methodology: Attackers exploited a vulnerability in a third-party wallet software during a fund transfer. The underlying cause appeared to be "Blind Signing," where a smart contract transaction is approved without comprehensive knowledge of its contents.
Laundering Operations: Following the theft, TraderTraitor actors rapidly converted some of the stolen assets to Bitcoin and other virtual assets, dispersing them across thousands of addresses on multiple blockchains. At least $160 million was laundered within the first 48 hours. This rapid laundering suggests an expansion of North Korea’s money laundering infrastructure or enhanced capacity in underground financial networks. North Korea has shown increasing reliance on cross-chain bridges and high-volume transaction strategies to obfuscate funds, shifting away from traditional mixers due to heightened scrutiny. This "flood the zone" technique aims to overwhelm compliance teams and investigators with rapid, high-frequency transactions across multiple platforms.
2. DMM Bitcoin Exploit (May 2024): In May 2024, Japanese cryptocurrency exchange DMM Bitcoin suffered a security breach resulting in the loss of approximately 4,502.9 Bitcoin, valued at $305 million at the time.
Attribution: North Korean cyber actors were identified as the main suspects.
Methodology: The attackers targeted vulnerabilities in DMM’s infrastructure, leading to unauthorized withdrawals. Notably, a North Korean cyber actor took on the persona of a recruiter on LinkedIn to initiate the attack chain.
3. WazirX Exchange Breach (July 2024): North Korean state-sponsored hackers stole $235 million from WazirX, India’s largest cryptocurrency exchange, in July 2024. This incident was part of a broader campaign that netted $659 million through multiple cryptocurrency heists in 2024.
4. Infiltration Attempt at KnowBe4 (July 2024): In July 2024, cybersecurity firm KnowBe4 became a target when a North Korean operative successfully posed as a Principal Software Engineer using a stolen U.S. identity and an AI-enhanced deepfake photo.
Incident Details: Malware was detected and contained within 25 minutes of the workstation being connected at a "laptop farm" address, preventing data loss but highlighting the sophistication of such infiltration. No illegal access was gained, and no data was lost or exfiltrated.
Significance: This case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats.
5. North Korean Collaboration with the Play Ransomware Group (September 2024): In September 2024, incident responders identified a collaboration between hackers affiliated with North Korea’s Reconnaissance General Bureau (RGB), specifically "Jumpy Pisces" actors, and the financially motivated Play ransomware group.
Methodology: North Korean actors performed the initial work of gaining access to the victim organization’s systems through a compromised user account in May 2024. They moved laterally and maintained access using custom-made malware called DTrack, an infostealer previously linked to North Korean threat groups.
Implications: This incident signals North Korea’s deeper involvement in the ransomware landscape and indicates an expansion of their targeting, suggesting that their activity should be viewed as a potential precursor to ransomware attacks, not just espionage.
DPRK targeting defense companies for industrial theft is unequivocally driven by a compelling need to acquire critical military technology: North Korea’s emphasis on military strength and its ambition to modernize its conventional weapons and develop new strategic weapon systems, including ballistic missiles, reconnaissance satellites, and submarines, directly fuels its cyber espionage efforts. Cyber espionage is a cost-effective means for Pyongyang to obtain these technologies.
In February 2025, North Korean hackers conducted an espionage campaign against South Korean entities, exfiltrating system reconnaissance data from potentially thousands of machines. In April 2025, North Korean cyber spies were noted to be expanding infiltration operations to target European defense and government organizations.
The Role of DPRK IT Worker Infiltration in Acquiring Critical Military Technology: DPRK IT worker infiltration plays a significant and multifaceted role in this drive, acting as both a direct and indirect enabler of industrial theft and espionage:
Direct Espionage and Data Exfiltration: DPRK IT workers, often operating under false pretences from countries like China and Russia, gain remote employment at unsuspecting companies, including those in the technology, defense, and financial services sectors. Once embedded, these operatives introduce malware, exfiltrate proprietary and sensitive data, source code, and intellectual property. This directly includes critical military technologies and dual-use technologies relevant to defense industries, aerospace, and shipbuilding. They have also engaged in corporate espionage, with the ability to extort former employers by threatening to release sensitive data.
Facilitation of Hacking Operations: The information gathered by IT workers, even if they are initially unaware of its ultimate use, can highlight vulnerabilities and access vectors for dedicated North Korean hacking teams. This blurs the traditional distinction between APT operators and IT workers, as they increasingly function as a single enterprise supporting regime priorities. These workers can install backdoors and provide persistent access to corporate networks for more sophisticated cyber units.
Revenue Generation for WMD Programs: The primary objective of these IT worker schemes is to generate illicit revenue for the North Korean regime. Estimates suggest these workers generate hundreds of millions of dollars annually, with the regime retaining a significant portion (up to 90%). This funding directly supports North Korea’s WMD and ballistic missile programs, which include the very military technologies they seek to acquire or develop. Therefore, even when IT workers are primarily focused on earning money, their activities indirectly fuel the broader military technology acquisition goals.
Advanced Deception and AI Integration: DPRK IT workers employ sophisticated tactics, including fraudulent documents, stolen identities, false personas (some using U.S. nationalities), AI-generated or AI-manipulated photos, and manipulating remote work opportunities to gain access. They leverage online platforms like GitHub, LinkedIn, and Upwork to create fake profiles and portfolios. They obscure their true locations using VPNs, virtual private servers (VPSs), and proxy services, often working night shifts to mimic U.S. daytime hours. The use of "laptop farms" where U.S.-based facilitators host company laptops further enables remote access and deception. These workers are increasingly leveraging AI tools like ChatGPT, FaceSwap, and generative AI coding assistants (e.g., Microsoft Copilot) to create convincing fake identities, enhance phishing attacks, and automate offensive cyber operations. The establishment of Research Center 227, an AI-driven cyber warfare unit, specifically aims to develop AI hacking technologies to enhance the DPRK’s offensive cyber capabilities, including information theft.
The demise of the UN Panel of Experts in April 2024, due to Russia’s veto, has created a significant void in independent, comprehensive international monitoring of DPRK sanctions. This has arguably emboldened North Korea’s illicit activities.
In response to this void, an eleven-nation Multilateral Sanctions Monitoring Team (MSMT) was formed in February 2025, comprising Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea, the United Kingdom, and the United States. This voluntary collective aims to monitor sanctions outside the UN framework, but its effectiveness without the participation of North Korea’s largest trading partners (China and Russia) and without the UN’s authority remains a critical question.
A significant development impacting the DPRK’s cyber threat posture is its growing alliance with Russia. In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong Un signed a mutual defense pact in Pyongyang. This alliance has seen Russia release millions of dollars in previously frozen North Korean assets, while North Korea has supplied Russia with ballistic missiles and troops for the conflict in Ukraine, reportedly in exchange for advanced space, missile, and submarine technology. This partnership could lead to a "more formidable and hostile cyber alliance," combining Pyongyang’s cybercrime expertise with Moscow’s destructive cyber capabilities. North Korea’s reliance on Russian infrastructure for routing attacks, IT deployments, recruitment, communication, and cryptocurrency laundering has also increased.
Interestingly, while 2024 saw North Korean cyber activity soar in the first half of the year, there was a stagnation in overall hacking activity in Q3 and Q4 2024. This coincided with the Putin-Kim summit, suggesting a possible redirection of military resources toward the Ukraine conflict or an alteration in cybercriminal activities, though a direct causal link is not definitively established.
International responses have included increased sanctions and legal actions:
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued multiple sanctions targeting individuals and entities involved in DPRK IT worker schemes. For example, on July 8, 2025, OFAC sanctioned Song Kum Hyok, a DPRK cyber actor associated with Andariel, and individuals/entities involved in a Russia-based IT worker network. On August 27, 2025, OFAC sanctioned Vitaliy Sergeyevich Andreyev (Russian national), Kim Ung Sun (DPRK consular official), Shenyang Geumpungri Network Technology Co., Ltd (Chinese front company), and Korea Sinjin Trading Corporation for facilitating IT worker schemes and funneling millions to North Korea’s weapons programs.
The U.S. Department of Justice (DOJ) has been actively disrupting these schemes. This includes indicting 14 DPRK nationals who obtained employment as remote IT workers and generated over $88 million by stealing proprietary information and extorting employers. In June 2025, the DOJ sought civil forfeiture of over $7.7 million in cryptocurrency, NFTs, and digital assets tied to a laundering network operated by North Korean IT workers. An Arizona woman received an eight-year prison sentence in July 2025 for running a laptop farm.
South Korea and its allies have intensified their response, including targeted sanctions. In December 2024, South Korea issued sanctions targeting 15 North Korean IT professionals and an entity involved in money laundering. Bilateral and trilateral cooperation with the U.S. and Japan, including working groups and joint military-cyber drills, aims to monitor and counter North Korean cyber activity and sanctions evasion.
To effectively counter North Korea’s persistent and evolving cyber threat, a multi-layered defense strategy is crucial:
Thorough Employment Due Diligence: Companies must prioritize rigorous background checks, identity verification (including using specialized firms and AI detectors for deepfakes), and scrutinize applicants from high-risk regions or those with suspicious credentials, particularly for remote IT positions.
Robust Technical Safeguards: Implement and enforce multi-factor authentication (MFA) across all access points, especially for privileged accounts. Employ strong private key hygiene, cold storage, and multi-signature wallets for crypto assets. Utilize endpoint detection and response (EDR) solutions, network segmentation, firewalls, intrusion detection systems (IDS), and VPNs for secure remote access.
Continuous Monitoring and Threat Detection: Deploy Security Information and Event Management (SIEM) systems for real-time analysis of security alerts and anomalies in network traffic or user behavior. Ingest logs from video conferencing applications and CRM solutions to detect insider threats. Monitor for unusual IP addresses, VPN usage, unauthorized remote desktop software, abnormal work hours, heavy use of AI, and discrepancies in video calls. Stay informed about emerging threats and attack patterns through threat intelligence feeds.
Employee Training and Awareness: Conduct regular training on recognizing and reporting phishing attempts and social engineering tactics. Foster a culture of caution and responsibility among staff, especially those managing remote workers, and provide incident reporting channels.
Incident Response and Recovery: Develop and regularly test comprehensive incident response plans and robust backup/recovery solutions. Conduct post-incident analyses to improve defenses.
Information Sharing and Collaboration: Organizations should proactively share information on suspicious employees or applicants with industry peers and law enforcement. International cooperation, particularly in strengthening KYC/AML frameworks in vulnerable jurisdictions, is essential to disrupt money laundering pathways and freeze illicit assets. Institutionalizing joint mechanisms for sustained cooperation between governments is critical, along with coordinated sanctions, public attribution, and shared sanctions lists targeting North Korean hacking entities.
North Korea’s cyber operations have evolved into a sophisticated global criminal enterprise, demonstrating remarkable adaptability and resourcefulness in generating billions of dollars to fund its illicit weapons programs. The demise of the UN Panel of Experts has created a challenging environment for international sanctions enforcement, further complicated by North Korea’s deepening alliance with Russia and its increasing use of advanced technologies, including AI, to refine its attack methods and deception tactics.
The significant increase in crypto thefts in 2024 and the record-breaking figures in the first half of 2025, dominated by North Korean actors, highlight that this threat is not diminishing. North Korea’s relentless targeting of defense companies for industrial theft to acquire critical military technology underscores its strategic objectives, with IT worker infiltration serving as an insidious and highly effective vector for both financial gains and espionage. To effectively combat North Korea’s digital mafia, sustained vigilance, enhanced organizational cyber resilience, and robust international cooperation, including information sharing, coordinated sanctions, and capacity building, are more critical than ever before. Without such concerted efforts, North Korea will continue to exploit vulnerabilities in the global digital and financial ecosystems, posing a severe and evolving threat to international peace and security.
