North Korea’s Cybercrime Threat Is Growing in Both Size and Sophistication

North Korean hackers have stolen more than $3 billion in the past three years, the U.S. Treasury Department announced on November 4. The department issued sanctions on two North Korean individuals based in their home country and six of their enabling partners based in China and Russia, along with two North Korean banks responsible for enabling some of the Democratic People’s Republic of Korea’s (DPRK’s) ill-gotten gains. The designated individuals processed the results of crypto heists and laundered millions of dollars from the salaries of North Korean IT workers employed by global tech companies, with the proceeds going to finance Pyongyang’s military goals.

North Korea’s Global Cyber Campaigns Fuel Its Military Ambitions

Historically, North Korea has used forced labor to generate millions of dollars for its nuclear and ballistic missile programs. More recently, Pyongyang has relied on its hackers. An October report from the United Nations’ multilateral sanctions monitoring team concluded, “Nearly all the DPRK’s malicious cyber activity, cybercrime, laundering, and IT work is carried out under the supervision, direction, and for the benefit of entities sanctioned by the UN for their role in the DPRK’s unlawful WMD and ballistic missile programs.”

North Korea’s IT workers continue to secure remote IT positions at tech companies, some taking advantage of AI deepfakes to conceal their true identities. The workers send their salaries back to the North Korean regime and sabotage their nominal employers. In September, cybersecurity firm Okta found that North Korea’s current worker scheme “threatens nearly every industry that hires remote talent.”

Treasury’s latest sanctions target North Korean banks and their representatives in China and Russia. The UN report warned that the regime relies on operatives in China, Russia, Argentina, Cambodia, Vietnam, and the United Arab Emirates to launder stolen funds. Treasury has previously sanctioned Russian facilitators of North Korea’s schemes and warned of the “workforce of thousands of highly skilled IT workers globally, primarily located in the People’s Republic of China and Russia” who earn salaries as remote IT workers that are then sent back to fill the Kim regime’s coffers.   

Pyongyang’s Growing Capabilities Enable Cyber Exploitation

The UN report further warned that the sophistication of North Korea’s cyber operations are “approaching the cyber programs of those in China and Russia.” Cybersecurity experts with Cisco Talos and Google Threat Intelligence Group have observed North Korean hackers using specialized malware with enhanced remote command and control capabilities. These capabilities help North Korean actors evade law enforcement countermeasures.

The evolution of Pyongyang’s capabilities coincides with the regime’s decision to consolidate its satellite, cyber, and human intelligence capabilities into a unified Reconnaissance Information General Bureau. This restructuring may give a significant boost to Pyongyang’s clandestine cyber operations by offering hackers access to better tools and intelligence assets.

Sanctions Combined With Industry and Diplomatic Engagement Can Protect U.S. Companies

Washington should work with victim companies to better understand the latest tactics North Korean IT workers are using and then share the information publicly so that other companies can develop mitigations. Treasury’s sanctions and other federal efforts to provide the private sector with information about North Korea’s IT worker schemes can help human resource departments avoid getting scammed. Additionally, by working with private sector cybersecurity firms, the federal government can gather and then share more information on how North Korean hackers operate.

Meanwhile, Treasury should expand its sanctions efforts against North Korean individuals and entities based in China and other countries that actively facilitate and operationally support North Korean sanctions-evasion efforts. Washington should also engage diplomatically with foreign nations that host North Korean hackers and money launderers to convince those countries to kick them out. Cutting North Korea off from its external enablers will not only reduce North Korean cybercrime but also shrink the funds available for the regime to support its military machine.

Mathew Ha is an adjunct fellow at the Foundation for Defense of Democracies’ (FDD’s) Center on Cyber and Technology Innovation (CCTI), where Sophie McDowall is a research associate. For more analysis from the authors and FDD, subscribe here. Follow Mathew on X @MatJunsuk. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.