Policy Deep Dive: North Korean Hacking

Policy Deep Dive: North Korean hacking.

In this special policy series, the Caveat team is taking a deep dive into key topic areas that are likely to generate notable conversations and political actions throughout the next administration. This limited monthly series focuses on different policy topic areas to provide you with our analysis of how this issue is currently being addressed, how existing policies may change, and to provide thought-provoking insights. 

.

For this month's conversation, we’re focusing on North Korea’s hacking. Despite being largely cut off from the world, North Korea is one of the most prolific, innovative, and impactful cyber threat actors in the world. Over the years, North Korea has evaded sanctions and gathered hard currency by targeting financial institutions and digital assets.

To listen to the full conversation, head over to the Caveat Podcast for additional compelling insights. 

Key insights.

1. Hacking in North Korea. For years, North Korea has been behind some of the most prolific and notorious cyber attacks despite being a nation that is largely cut off from most of the world.
2. A means to make money. Unlike many nation-state actors, North Korea uses its cyber attacks as a way to support its economy.
3. The evolution of hacking. As technology has evolved, so have North Korea’s attacks, leveraging cryptocurrency as one of its new tools.

North Korean hacking.

Despite being isolated from most of the world, North Korea is one of the most active and disruptive nation-state cyber actors.

State-sponsored cyber operations are hardly unique to Pyongyang, as many nations run offensive programs to steal intelligence, disrupt adversaries, or degrade critical infrastructure. However, North Korea stands out as, despite its isolation and scarce resources, it has been responsible for some of the most disruptive and notorious cyberattacks of the past two decades.

Crucially, unlike many peer cyber programs that prioritize espionage or military advantage, North Korea also uses hacking as an economic tool. A tool that helps the nation both gather funds and evade global sanctions.

Thinking Ahead: 

What types of attacks would North Korea aim to execute?

Global cyber attacks.

Over the past two decades, North Korea has been behind some of the largest global cyber incidents.

When evaluating North Korea’s hacking efforts over the past twenty years, numerous high-profile cases have been attributed to the nation. An early high-profile North Korean attack was the 2014 hack of Sony Pictures Entertainment (SPE).

In 2014, North Korean hackers infiltrated SPE’s network, compromising digital operations and accessing sensitive information. While the initial motives behind the attack were unclear, it became obvious after hackers demanded SPE halt the release of “The Interview,” a comedy movie about assassinating North Korea’s leader. Following the attack, hackers eventually leaked sensitive personal information online, alongside publishing and leaking movies costing SPE an estimated $100 million. After the SPE hack, North Korean hacking shifted from politically motivated attacks to more financially motivated ones. 

The next major attack was the 2016 Bangladesh Bank Heist. This attack involved North Korean hackers infiltrating the Bangladesh Central Bank and attempting to transfer over $950 million through the SWIFT global payment system through thirty-five transfers, which was nearly the entire amount of the Bank’s New York Fed account. 

While the attack ultimately resulted in an $81 million loss, it marked a clear pivot in North Korea’s cyber goals. Rather than targeting nations and companies for political ends or to degrade targets, Pyongyang aimed to transform its cyber operations from tools centered on political coercion into a self-sustaining revenue system.

One year later, North Korea launched one of the most influential and indiscriminate cyber attacks at the time, now known as the WannaCry ransomware attack. WannaCry was a self-propagating ransomware worm that spread using an exploit, known as EternalBlue. Through this exploit, the malware infected over 200,000 computers in over 150 countries in under a week, demanding payment in return for system access. Notable victims included FedEx, Honda, Nissan, and the United Kingdom’s National Health Service. While WannaCry generated only around $100,000 in ransom payments, the broader economic disruption it caused is estimated in the billions. The attack highlighted that North Korea’s cyberattacks could serve both financial and strategic disruption goals.

These high-profile attacks demonstrate both North Korea’s growing technical capabilities and how its cyber operations have become instrumental when sustaining the regime regardless of international sanctions and isolation.

Thinking Ahead: 

What advantages would cyber attacks give North Korea?

Supporting the nation.

Unlike many other nation-states, North Korea uses hacking as a way to support its larger strategic goals.

While the previously mentioned attacks are among the most high-profile ones, they are by no means isolated incidents. North Korean hacking has evolved into a central pillar of the regime’s military strategy. By prioritizing cybercrime and espionage, North Korea compensates for other military shortcomings and remains impactful on the global stage.

In a 2019 United Nations (UN) report, the global body estimated that North Korea generated $2 billion for its weapons of mass destruction programs through cyberattacks. Experts emphasized that North Korea “used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges” alongside laundering stolen money in cyberspace. In this report, experts noted how they were investigating over thirty-five reported incidents where North Korean hackers attacked a financial institution, cryptocurrency exchange, or mining activity across seventeen countries.

A continually growing trend in these financial attacks is North Korea’s attacks on cryptocurrency exchanges. In the report, researchers noted that attacking these targets enabled the nation to access funds that were significantly harder to track, had substantially less government oversight, and were subject to fewer regulations.

One year later, the Cyber Infrastructure Security Agency released an advisory further outlining the breadth of North Korea’s illicit activities. The advisory outlined some of the common tactics being increasingly employed by North Korea as:

• Cyber-enabled financial theft: Attacks that targeted digital currency exchanges, stealing hundreds of millions in digital currency and laundering stolen funds. Given that laundered funds move through multiple jurisdictions, efforts to track and seize these funds become extremely difficult.
• Extortion campaigns: North Korea has been targeting developing countries by compromising networks unless ransoms are paid, alongside taking payments to extort targets for third parties.
• Cryptojacking: A scheme to compromise a machine and steal its resources to mine digital currencies. Mined assets are then sent to servers in North Korea.

While this list is not exhaustive, it demonstrates the nation’s increasing sophistication and capabilities when targeting the financial sector. A Brookings Institution event on Asian Transnational Threats further highlighted these complexities. 

Brookings highlighted Seungjoo Kim of the School of Cybersecurity at Korea University to discuss the technical support behind North Korea’s cyber operations. Kim noted that North Korea employs over 6,000 full-time cyber operatives and support staff tasked with launching daily disinformation, cybercrime, and espionage operations. Stephanie Kleine-Ahlbrandt, a former member of the North Korea Panel of Experts at the UN Security Council, echoed these statements, emphasizing that given the low cost of entry, potential high yields, and lack of deterrence, North Korea is likely going to continue investing in these actions, especially as virtual assets lack effective enforcement and transparency. 

Taken as a whole, these insights underscore how North Korea’s offensive cyber efforts have matured into one of the world’s most adaptive and self-sustaining state-sponsored hacking operations. Today, these campaigns are more expansive, technically sophisticated, and integrated with global networks, making Pyongyang one of the most prolific threat actors in cyberspace.

Thinking Ahead: 

What would these attacks look like in today’s world?

The current landscape.

With modern technologies, North Korea has only continued to ramp up its attacks and exploitation efforts.

Currently, North Korea’s hacking efforts remain as impactful as ever. Their operations routinely yield results as the nation has doubled down on their cryptocurrency theft, setting records year over year for the funds they are able to steal. Alongside these operations, the regime has developed a highly elaborate “fake IT worker” program enabling them to target organizations, siphon funds, and evade international enforcement measures.

Regarding cryptocurrency heists, North Korea has continued to yield substantial results. To illustrate the importance of these operations, in 2022, North Korea was estimated to have stolen $1.35 billion in total. In 2025, the nation is estimated to have stolen over $2 billion so far. 

The largest amount stolen this year can be attributed to a $1.4 billion heist from cryptocurrency exchange ByBit. In this heist, the Lazarus Group, which is the same threat actor behind WannaCry and the SPE attack, was able to execute a supply-chain attack and alter a digital wallet address where over 400,000 Ethereum (ETH) coins were being sent to. 

According to LazarusBounty, of the $1.4 billion stolen, roughly 89% or nearly $1.3 billion, has gone dark, meaning that it is unlikely to be recovered, with only 5.5%, or $78 million, remaining traceable.

Elliptic published a report on North Korea’s crypto heist detailing both North Korea’s earnings and how these attacks are evolving. Elliptic noted how hackers are beginning to increasingly targeting high-net-worth individuals and individuals associated with business holding high amounts of crypto, attempting to exploit human weaknesses. Elliptic noted how in 2025, “the majority of the hacks…have been perpetrated through social engineering attacks…to gain access to cryptocurrency.” Additionally, Elliptic noted that North Korea’s money laundering schemes have become increasingly complex, using new strategies. These strategies included:

• Exploiting “refund addresses” features to send money to new wallets.
• Using obscure blockchains with limited coverage.
• Using multiple rounds of mixing and cross-chain transactions.

Beyond large-scale cryptocurrency heists, Pyongyang has also turned to employing organizations through schemes that exploit an organization’s trust.

Alongside these crypto heists, North Korea has also begun to employ “fake IT worker” scams. According to the US Department of Justice (DOJ), these schemes begin by having a North Korean fraudulently obtain employment within a company, posing as a remote IT worker. While some of these workers send portions of their paychecks to the regime, others have been found stealing data or hacking their organizations for ransom. According to the UN, secret IT workers generated the nation $250-$600 million annually. 

Axios focused on these scams further. Michael Barnhart, principal investigator at DTEX Systems, spoke with the organization, commenting on how these workers “have been stealing intellectual property and then working on the projects themselves.” Furthermore, DTEX research found that some of the more sophisticated IT worker scams coordinated with state-sponsored hacking groups to aid in their scams and to assist with money laundering efforts.

These various attacks represent only a small portion of North Korea’s cyber capabilities. North Korea has continued to evolve its attacks, growing more sophisticated and impactful each year. 

Thinking Ahead: 

How could these attacks continue to evolve?

Managing the situation.

Given North Korea’s motives, a different approach is needed to handle its hacking.

Over the past two decades, North Korea has evolved into one of the most innovative, successful, and dynamic threat actors on the global stage. The nation’s operations combine traditional espionage with technological attacks that utilize ransomware and social engineering to generate significant revenue streams. 

Given how profitable these cyber operations are, it is likely that North Korea will only continue investing in these efforts to further develop its technical capabilities and create new exploitation methods.

For governments, businesses, and security professionals alike, understanding the full scope of North Korea’s operations is critical. Recognizing how these attacks function, exploit human weaknesses, and continuously adapt is key to standing up effective cybersecurity measures. Ultimately, North Korea’s sustained success in cyberspace demonstrates that existing international responses remain insufficient. To counter this threat, nations will need to develop more coordinated and innovative solutions.

Thinking Ahead: 

How can nations minimize the impacts of these attacks?