North Korea is one of the main perpetrators of the growing threat to cyber security. At least since the attack on Sony Pictures in 2014, the country has been perceived as a major cyber player on the international stage. Since then, Pyongyang has used its hacking skills to circumvent international sanctions and steal funds.
Pyongyang was able to use the captured funds to finance the development of its nuclear and missile program. North Korea also uses cyber operations for (digital) espionage. The targets are wide-ranging: they are directed against universities, human rights organizations and media companies, create discontent or distrust through election fraud and attack critical national infrastructures. The increasing importance of North Korea in the area of cybercrime and cybersecurity is also the reason why we maintain a separate blog post on the topic here.
As an example, a study by Recorded Future’s Insikt Group paints an alarming picture of North Korean cybercrime. These activities, which have increased since 2017, target the cryptocurrency industry and have enabled North Korea to steal an estimated 3 billion dollars in cryptocurrencies.
Development of North Korean cybercrime
Originally aimed at hacking the SWIFT network of financial institutions, North Korea shifted its focus to this sector with the cryptocurrency boom in 2017. Starting from the South Korean market, the radius of action quickly expanded to the whole world. In 2022 alone, thefts worth 1.7 billion dollars were attributed to North Korean threat actors, which has enormous economic and military implications for the country.
Methods and goals
The tactics of North Korean cybercriminals are similar to those of traditional cybercrime groups, but with state support and on a much larger scale. Their targets are not only cryptocurrency exchanges, but also individuals, venture capital firms and alternative technologies. Stolen identities and manipulated photos are used to circumvent anti-money laundering measures.
Effects and future prospects
The stolen funds flow to the regime and finance military and armaments programs. This represents a significant source of income for the North Korean regime, especially under the existing international sanctions. The rising number of cryptocurrency thefts and rocket launches suggests that without stronger regulation and investment in cybersecurity, North Korea will continue to target the cryptocurrency industry.
Conclusion on North Korea and cryptocurrencies
North Korea’s elite computer scientists play a crucial role in these cyberattacks despite restrictions and isolation. There is a growing need for stricter cybersecurity measures and regulations to effectively combat this threat. The cryptocurrency industry and traditional financial institutions must remain vigilant to protect themselves from this growing threat.
UN: North Korea still of increasing importance in cybercrime
An unpublished United Nations report obtained by Reuters reveals that North Korea has raised around $3 billion through cyber attacks to fund its nuclear weapons program. Despite UN Security Council sanctions, North Korea has continued to expand its nuclear weapons and missile program, including the development of a tactical nuclear submarine. The Security Council, which has imposed sanctions on North Korea since 2006, prohibits the country from conducting nuclear tests and missile launches. The sanctions monitors are investigating 58 alleged cyberattacks by North Korea on cryptocurrency companies between 2017 and 2023. North Korea has so far denied the allegations.
The report, which is due to be published soon, also reveals that North Korean hacker groups belonging to the country’s main intelligence agency have carried out numerous cyber attacks, including attacks on defense companies. An easing of sanctions by the UN Security Council seems unlikely, as China and Russia are blocking such a measure. Instead, they are pushing for détente in order to persuade North Korea to engage in denuclearization talks. North Korea has also deepened its military ties with Russia, although both countries deny accusations of supplying weapons to Russia for the war in Ukraine.
The sanctions monitors examine reports of North Korean violations of the arms embargo and report on North Korean citizens working abroad despite the sanctions. Despite the strict lockdown during the pandemic, North Korea’s trade has recovered, including the import of luxury goods, the sale of which to North Korea is prohibited. North Korea’s access to the international financial system and illegal financial transactions continue to violate UN resolutions.
State hackers at a glance
The most significant international actors include state actors from Russia, China and Iran. These countries use various tactics to promote their geopolitical interests and undermine the stability of European democracies.
In addition to the main actors named below, there are also other countries and non-state actors that attempt to influence elections in Europe. These include, for example, groups acting on behalf of governments or in their own interests to advance certain political agendas. These actors use a variety of methods, including cyberattacks, disinformation, economic pressure and diplomatic maneuvers to achieve their goals. The European Union and its Member States face the challenge of recognizing and countering these threats in order to protect the integrity of their democratic processes.
Russia
Russia is known for its extensive disinformation campaigns and cyberattacks aimed at weakening trust in democratic processes. Some of the best-known examples include influencing the 2016 US elections and attempts to influence the Brexit vote. Russian actors often use social media platforms to spread false information and deepen social divisions.
China
China is increasingly relying on cyberattacks and disinformation campaigns to expand its influence in Europe. Chinese hacker groups are known for conducting industrial espionage and stealing sensitive information that can then be used to influence political decisions. China is also trying to manipulate public opinion in Europe by spreading pro-Chinese narratives in the media.
Iran
Iranian actors also use disinformation campaigns and cyberattacks to pursue their geopolitical goals. These campaigns are often aimed at destabilizing the policies of the US and its allies in Europe. Iranian hacker groups use similar techniques to their Russian and Chinese counterparts.
North Korea
North Korea is another international actor trying to influence elections and political processes worldwide, including in Europe, through cyber activities. While North Korea is less of a focus compared to Russia, China and Iran, there is still significant activity emanating from North Korean actors. North Korea also uses disinformation to further its geopolitical goals and foment political unrest. While there are fewer documented cases of direct election interference by North Korea, the regime still uses cyber operations to exert political pressure and protect its interests, for example by publishing compromising information about political candidates or spreading propaganda.
Lazarus and North Korea
The United Nations report on Shadow Banking and Organized Crime in Casinos (2024) describes the hacker group Lazarus, also known as APT38, as a notorious Advanced Persistent Threat (APT). The Lazarus hacker group is mostly associated with North Korea. It is regarded as a kind of cyber arm of the North Korean government. Its activities include cyber espionage, data theft, ransomware attacks and other forms of cybercrime. These activities often serve to generate financial gain for the isolated state of North Korea.
This group is best known for its high-profile cyber-financial attacks and cyber-espionage activities. Their operations often involve the use of sophisticated malware and have recently been linked to the theft of billions of dollars in cryptocurrencies.
A particular example of the Lazarus Group’s activities is an incident in the Philippines in which licensed casinos and junk operators played a major role in laundering around $81 million stolen from the Bangladesh Central Bank through a Lazarus Group cyber-attack.
It also notes that the Lazarus Group has been identified as part of a larger trend in which regional money laundering and underground banking networks are shared between cyber fraud operations in the Mekong region, drug traffickers and more sophisticated cyber threat actors such as the Lazarus Group. For example, the report includes information on the link between the North Korean hacking group Lazarus and Southeast Asian drug traffickers. It points out that regional money laundering and underground banking networks are shared by Mekong-based cyber fraudsters, drug traffickers and sophisticated cyber threat actors, including the Lazarus Group.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
- Liability of Companies in Phishing and CEO Fraud Incidents - 13. May 2025
- Domain Law in Germany - 10. May 2025
- Art Law in Germany - 10. May 2025