The menace of North Korea's hacking capabilities has grown exponentially over the past decade causing wide spread concern with cyber security experts especially in the last few months. The Democratic Peoples Republic of Korea (DPRK) is a world leader in State Sponsored Cyber Attacks that target Google operating systems, crypto exchanges, consumer based purchasing platforms, FINTECH organizations, Western Governments' critical infrastructure and a dizzyingly array of corporations in the Cyber Security related industries. In November 2025 the Google Threat Intelligence (GTIG) issued a report on DPRK confirming that it "is now using sophisticated AI methodology in these Cyber Attacks, a development that is sounding alarms with key global cybersecurity companies."
While Western media outlets voice their deepest fears about the DPRK's AI hacking capabilities the question that astounds this writer is why didn't the world's Cyber Security experts predict that this would happen at the rapid scale of sophistication that it has? The GTIG and its Cyber security cloud arm Mandiant also released a report this past February identifying a State Sponsored Cyber Attack group termed 'UNC1069' that is controlled by the DPRK. But GTIG had been tracking UNC1069 for the past eight years. The report stated that UNC1069 "is a financially motivated threat actor that is suspected with high confidence to have a North Korea nexus and that has been tracked by Mandiant since 2018."
A Criminal State by Design: The DPRK's Long History of Economic Crimes
The history of the DPRK engaging in State Sponsored Cyber Attacks is a natural progression of the Hermit Kingdom's sordid history of global economic and political subterfuge well before the internet was around and dates back to inception of the DPRK in 1948. The DPRK's transition to a full-fledged State Operated Transitional Organized Crime (SOTOC) entity evolved in the 1970's in the international illicit narcotics market as well as illegal arms sales and a host of other criminal activities including counterfeiting US currency. The DPRK has been engaging in economic crimes for decades and "there have been numerous counterfeiting incidents tied to the DPRK and indications that even as far back as the 1950s". Today the DPRK is a well-recognized AFP (Advanced Persistent Threat).
The DPRK's advancement in SOTOC activities over the last 20 years mirrors its achievements in science and technology which culminated in the successful attainment of Nuclear weapons over the same era despite strenuous US efforts and international sanctions to rein in the brutal regime of Kim Jong Un. Indeed, the DPRK's sophisticated Command and Control mechanisms that oversee and direct both the military and state sponsored cyber attacks against Western nations are a serious threat to world peace that should not be underestimated. But one should not forget that the DPRK would never have risen to this stature without the help of its only two allies, China and Russia. As a key member of the 'Russia China-Nexus' the DPRK has both the funding and political will to continue on its dark path of disrupting the global cyber space with near impunity.
The Attacks: From Sony Pictures to Billion-Dollar Crypto Heists
Just in the past fortnight the Drift Protocol platform suffered a State Sponsored Cyber Attack in which actors with links to the DPRK stole over 270 Million USD in crypto currency. The fingers have been pointed at the dreaded 'Lazarus Group', 'Kimsuky' and 'Andariel' all of whom are confirmed threat actors of the DPRK. These three threat actors all played decisive roles in the heist.
The Drift Protocol case is probably the most sophisticated crypto theft to date carried out by a State Sponsored Cyber Attack in history. But this should not be surprising. Over a decade ago, on November 24, 2014 Sony Pictures sustained a major hack when a group identifying itself as the 'Guardians of Peace' gained control of Sony's systems and then demanded that the film production company cancel an upcoming movie at the time entitled 'The Interview'. The film was a satirical political movie satire highly offensive to the DPRK regime and its Supreme Leader Kim Jong-un. Sony ended up cancelling a US wide release of 'The Interview' in the US due to threats of terrorism made by the 'Guardians of Peace' against the movie theatres that had planned to release the movie. It caused a political uproar at the time and the involvement of US President Barak Obama and several US Intelligence agencies who finally concluded that the DPRK was the culprit of the hack with the Lazurus Group directing the operations of the hack.
In March 2022 the DPRK was behind a 615 Million USD theft of cryptocurrency of the Ronin Network which supports the popular blockchain gaming site Axe Infinity. It was at the time the largest Cryptocurrency hack ever, Axe Infinity runs on blockchain technology for its customer transactions. Investigations carried out by the FBI and US Department of Justice (DOJ) "sanctioned a cryptocurrency wallet used by attackers to receive stolen funds"
A few months before the Axe Infinity hack the Poly Network site was hacked and over 600 Million USD in Cryptocurrency was stolen. But in this case it was not the DPRK. It was an 'Ethical Hacker" who was dubbed 'Mr. White Hat'. All the stolen funds we returned to Poly Market highlighting industry allegations that many crypto exchanges are lax on security and not adequality securing their own networks a prevailing theme these days with recent large scale Crypto theft cases.
In the Poly Network hack Mr. White Hat was offered a 500,000 USD bounty by Poly Network but he refused the reward. The company even thanked Mr. White Hat in a statement it released at the time. "We would like to thank ['Mr. White Hat' for] his commitment for helping us improve Poly Network's security and hope he will help contribute to the blockchain sector's continued development." Lucky for Poly Network that this was an ethical hack and not a State Sponsored Cyber Attack carried out at the behest of the DPRK.
How Cybercrime Became North Korea's Financial Backbone
The DPRK's accension to being internationally recognized as only second to China in State Sponsored Cyber Attacks has greatly benefitted the brutal regime of Kim Jong-un. It is currently estimated that "one third to a half of North Korea's budget comes from cyberfraud and extortion. Most of these crimes are aimed at the financial services industry, including banks, crypto exchanges, and payments providers." The DPRK runs it offensive cyber warfare units under the Command and Control of the Reconnaissance General Bureau (RGB) the main intelligence agency that oversees all other such agencies in DPRK. Known DPRK SOTOC units such as 'Lazarus Group', 'Kimsuky', 'Andariel' and UNC1069 all report directly to the RGB.
The RBG's Cybercrime units have indeed been a financial boom for the DPRK. "Elliptic (a The Cyber Security company) estimates that 2025's bumper year so far takes the cumulative known value of crypto assets stolen by the regime to more than $6bn." With such massive revenues the DPRK has every motive to protect its State Sponsored Cyber Attack capabilities which have become a vital strategic asset to the Kim Jong-un regime.
The Human Cost: Starvation at Home, Billions Abroad
The RBG (especially since the 2010's) has created a stable and burgeoning revenue stream generated by cybercrime activities that funds the Nuclear Weapons program and the extravagant lifestyles of Kim Jong-un and the elite in North Korean society despite numerous economic sanctions put in place by the US Government, The EU the UN and the international community. This is done at the expense of the average citizen in the country most of whom suffer from severe food insecurity and violent political repression. Simply put: due to the Regime's siphoning of the majority of State funds for its own benefit, the people of North Korea are literally starving and "Despite North Korea´s effort to increase domestic food production, around half the population, some 12 million people, remain undernourished."
While its people go hungry the DPRK ruthlessly expands its efforts not only in cybercrime theft but also in the level of sophistication in which they launder money from their ill-gotten gains. Ongoing US and NATO member countries have sanctioned against the DPRK for well over two decades with mixed results. The U.S. Treasury Department's AML (Anit-Money Laundering) efforts to clamp down on DPRK seems to have emboldened the North Korean regime to come up with ingenious methods to circumvent the sanctions and successfully launder money. "Over the past three years, North Korean malware and social engineering schemes have diverted more than $3 billion, mostly in digital assets" back to the coffers of Kim Jong-un according to the U.S. Treasury Department's Office of Foreign Assets Control. The DPRKDPKR uses these funds to support its Nuclear program and illegal arms sales and uses a matrix of banks, shell corporations and international criminal networks to get the cash back to Pyongyang.
Office 39: The Regime's Shadow Financial Engine
North Korea has, (since at least the 1970's) maintained and developed business relationships with Transitional Organized Crime (TOC) actors in the illicit arms trade and in the illegal gambling sector. "The country has adapted to the changing landscape of illegal online gambling sites and online scams, and – crucially – has exploited money-laundering ecosystems and technologies targeted to transnational criminal groups driving the cyber scam industry." The DPRK's control of its laundered foreign currency is a shadowy intelligence unit 'Office 39' (also known as 'Bureau 39') which is operated by the RBG. Office 39 is widely believed to control the personal wealth of Kim Jong-un. In February this year Office 39's long time Director Sin Ryong-man was sacked and replaced by another regime loyalist Han Sang-man who is believed to be much more technically qualified than his predecessor. The convergence of Office 39 working in tandem with the RBG units that undertake State Sponsored Cyber Attacks (such the 'Lazarus Group', 'Andariel' and UNC1069) has successfully closed the circle from the foreign currency revenue of the DPRK's cybercrime activities to the personal accounts of Kim Jong-un and other regime leaders.
According to an Office 39 operative who defected to South Korea in 2018 the 'Office' "runs a network of companies around the world involved in both illegal and legal trade and is estimated to bring between $US500 million ($639 million) to $US2 billion ($2.5 billion) a year into North Korea". Office 39 handles all foreign exchange of the RBG's cybercrime assets (the majority of which is in cryptocurrency) and all cash transactions brought in through large scale drug smuggling of heroin amphetamines, and opioids. "Office 39 is believed to have trained chemists to produce amphetamines and opioids which were sold in Japan and other parts of Asia."
The high level sophistication and operational capabilities that the RBG deploys to enrich the family of Kim Jong-un is staggering. In addition to narcotic trafficking Office 39 is also intimately involved in the coding and selling of on-line gambling sites that are pre-infected with malicious malware when sold, a development that is worrying industry experts. The South Korean intelligence agency NIS claims that "the websites it has investigated contained malicious code in a feature that made automatic bets. The threat actors use the code to steal the personal information of gamblers, and have attempted to sell approximately 1,100 pieces of personal data pertaining to South Korean citizens".
Sanctions Are Not Enough: What Needs to Change
Billions of laundered funds are flowing into the DPRK every year despite all the US and International sanctions against it. And those number are increasing literally on a daily basis. North Korea is now an affirmed State Operated Transitional Organized Crime empire with global reach. Greater attention to and enforcement of sanctions is only part of the solutions in eradicating North Korea's cybercrime capabilities. The e-commerce industry itself must fully prioritize cyber security and defence mechanisms to counter the DPRK menace. "Hybrid warfare and state-sponsored cyberattacks are the new normal, costing the world over $10 trillion each year." It's abundantly clear that past and current sanctions are not enough to stop the DPRK on its cybercrime rampage. The US Government, the EU and the UN must all do more to curtail the regime of Kim Jong-un. If not, the illegal income of DPRK will just grow unabated and cause unforetold damage which could include a large scale meltdown of the global financial ecosystem.