North Korea’s nuclear weapons and missiles pose a direct military threat to the United States and its allies. Pyongyang has long threatened to use its nuclear weapons in pre-emptive attacks and vowed never to abandon its “trusted shield” and “treasured sword” in negotiations.
Similarly, Pyongyang’s cyberattack capabilities pose a multi-faceted threat to international security since the regime has successfully penetrated and inflicted damage on military, government, media, and infrastructure computer networks. North Korea could inflict devastating damage during a crisis by simultaneously targeting the military, financial, and infrastructure sectors of one or several countries. Kim Jong-un declared that cyber warfare is a “magic weapon” and an “all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability.”
North Korea is in the top tier of global cyber threats and is unique amongst cyber-capable nations in prioritizing cybercrimes to circumvent international sanctions and finance its nuclear and missile programs. Pyongyang modified its strategy as other countries’ financial cyber defenses improved, shifting from cyberattacks on traditional financial institutions to cryptocurrency providers, then to decentralized finance (DeFi) platforms, which are more vulnerable to hacking. Regime tactics continue to evolve in response to enhanced protections and new technologies.
Despite growing awareness and actions against North Korean financial cybercrimes, the regime continues to score major thefts against an array of victims. Pyongyang’s sophisticated cybercrimes pose a threat to the international financial system, undermine United Nations and U.S. sanctions, and enable the regime to augment its nuclear threat against the United States and its allies.
The United States must take the lead in working with foreign governments and the private sector to augment cyber defenses and respond more forcefully to North Korean cyberattacks. Washington should increase enforcement of existing laws and implement necessary additional legislation and regulatory measures.
North Korea’s Cyber Capabilities Pose Grave Threat to U.S. and Allies
Despite North Korea’s reputation as a technically backwards nation, U.S. officials have long warned of the regime’s cyberattack prowess, citing it as one of the top four cyber threats in the world.
In February 2023, the Director of National Intelligence assessed that North Korea’s cyber program posed a “sophisticated and agile espionage, cybercrime, and attack threat [which is] fully capable of achieving a range of strategic objectives against…a wide target set in the United States.” U.S. Cybersecurity and Digital Policy Ambassador Nathaniel Fick declared that North Korea’s cyber activities pose a “grave threat” to international peace and security. North Korean hackers were estimated to account for more than 50 percent of the total global losses arising from cryptocurrency hacks.
North Korea has developed a comprehensive program to train thousands of cyberwarriors. While most toil covertly, North Korean university students have demonstrated that they are among the best in the world. North Korean contestants from the Kim Chaek University of Technology and Kim Il-sung University swept the top four prizes in a May 2023 online computer program coding contest of 1,700 contestants hosted by U.S. IT company HackerEarth. In 2020, North Korean students won the CodeChef online coding contests for six months running in a competition of 30,000 university students from around the world.
New Tools for an Old Strategy. The North Korean regime has a long history of using criminal activities to acquire money. Earlier criminal enterprises included counterfeiting of currencies, pharmaceutical drugs, and cigarettes; production and trafficking of illicit drugs, including opium and methamphetamines; trafficking in endangered species products; and insurance fraud.
Cybercrimes enable the North Korean regime to gain currency and evade international sanctions in more efficient, cost-effective, and lucrative ways than past illicit activities and more recent smuggling and ship-to-ship transfers of oil. The regime’s cybercrimes are global in scope, provide astronomical returns on investment, and are low risk since they are difficult to detect and attribute, with little likelihood of international retribution.
In 2015, North Korea began cyber robberies to gain revenue for the beleaguered, heavily sanctioned regime. Pyongyang began with attacks against traditional financial institutions such as banks, fraudulent forced interbank transfers, and automated teller machine (ATM) thefts. The most famous of these was North Korea’s successful theft of $81 million from the Central Bank of Bangladesh’s New York Federal Reserve account. An attempt to steal an additional $851 million was thwarted by an alert bank officer who noticed a typographical error.
After the international community increased cyber protections, Pyongyang shifted to targeting cryptocurrency exchanges, which proved to be far more lucrative. By 2020, North Korean “attacks against virtual currency exchange houses [had] produced more illicit proceeds than attacks against financial institutions.” North Korea has now switched almost 100 percent of its operations to cryptocurrency-related hacks.
North Korea is unique amongst nations with cyberattack capabilities because it devotes so much of its efforts to generating illicit crypto revenue and evading sanctions. Other nations focus their offensive operations on espionage, sabotage, and disinformation campaigns. Pyongyang continues operations in all those categories but, according to the Harvard Kennedy School’s 2020 Cyber Power Index, “North Korea was the only country observed pursuing wealth generation via illegal cyber means.”
Assessing the North Korean Cybercrimes Threat
As with any criminal activity, it is difficult to assess conclusively how much North Korea has gained from its cybercrime operations. Governments, financial institutions, and law enforcement agencies may be unaware of some cybercrimes or unable to determine the perpetrator. Pyongyang may have been unable to convert all its stolen cryptocurrency into traditional currency. Cyber security firm Chainalysis identified $170 million in yet-to-be-laundered funds linked to 49 separate hacks by North Korea from 2017 to 2021.
Even with fully executed cybercrimes, North Korean hackers are unlikely to have converted crypto to cash at full value, instead having to accept a lower percentage because brokers will take a cut of the profits. Governments and cybersecurity firms have been able to claw back some stolen cryptocurrency from North Korea by gaining access to the North Korean cyber accounts before the hackers cashed out the cryptocurrency. For example, North Korea hackers stole $275 million from the KuCoin currency exchange in 2020, and KuCoin’s CEO stated that the exchange recovered $204 million of the stolen funds.
North Korean cybercrimes likely also suffered from the global downturn in cryptocurrency markets. The $170 million that Pyongyang stole from 2017 to 2021 but had not cashed out would have decreased in value to $65 million by 2022. The $625 million stolen in 2022 from the Ronin Network would have devalued to about $250 million.
Despite these uncertainties, North Korea’s cybercrimes have proven a boon for the regime—and if nothing else the expansion of this activity suggests that it is working. In October 2022, Secretary of Homeland Security Alejandro Mayorkas stated that “in the last two years alone, North Korea has largely funded its weapons of mass destruction programs through cyber heists of cryptocurrencies and hard currencies.” In May 2023, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger estimated that approximately half of North Korea’s missile program has been funded through cyberattacks and cryptocurrency theft.
In 2019, the U.N. Panel of Experts estimated that North Korea had cumulatively gained $2 billion from cybercrime to fund its weapons of mass destruction programs. In 2020, 2021, and 2022, North Korea is estimated to have stolen at least $316 million, $400 million, and $1.7 billion worth of cryptocurrency, respectively.
Major North Korean crypto heists include:
- 2018: $532 million stolen from Japanese firm Coincheck.
- 2018: Nearly $250 million worth of digital currency stolen from an undisclosed digital currency exchange.
- 2020: $275 million stolen from South Korean KuCoin currency exchange. (The company’s CEO declared that the exchange has recovered $204 million of the stolen funds.)
- 2022: $620 million stolen by penetrating the Ronin Network, which supports Axie Infinity, a crypto token–based online video game that enables its 2.5 million participants to accumulate cryptocurrency. This was the largest crypto heist in the world to date.
- 2022: $100 million in cryptocurrency stolen from Harmony’s Horizon Bridge blockchain bridge service that allows users to transfer cryptocurrency across different blockchains.
- 2023: An estimated $100 million in cybercurrency stolen from Atomic Wallet, a cryptocurrency wallet provider; $60 million stolen from Alphapo, a crypto payment provider; and $37 million stolen from CoinsPaid, a crypto payment platform.
For context: North Korea’s total gross domestic product in 2019 was $29 billion. In 2022, Pyongyang’s total legitimate international trade was $1.59 billion, less than its gains that year from cybercrimes.
The North Korean cyber threat is increasing and evolving. The South Korean National Intelligence Service assessed that 1.37 million daily cyberattacks took place in South Korea during the first half of 2023, more than double the previous six months. North Korea was assessed as responsible for 70 percent of those attacks, followed by China with 4 percent, and Russia with 2 percent. The Mandiant cybersecurity firm tracked more than 10 million non-fungible token–related phishing scams successfully delivered to cryptocurrency users since 2022 and determined that most of those were linked to North Korea.
North Korea has started attacking the global cryptocurrency supply chain. Whereas Pyongyang had previously targeted crypto companies one at a time, it now seeks to compromise software or service providers to gain access or digital currencies from users downstream.
The South Korean National Police Agency declared that North Korea targeted as many as 10 million users across 61 organizations that had downloaded a banking security application. The North Korean hackers altered software by Initec, a major financial security provider, then created a “watering hole attack” by infecting websites that users downloading that software would likely visit. Doing so triggered malware to be loaded onto their computers.
North Korea also penetrated JumpCloud, an American IT management company, to gain access to its cryptocurrency company clients.
North Korean hackers have targeted investment banking and venture capital firms in the U.S, Japan, and Vietnam to gain access to the firms’ computers and customer information. Pyongyang has also impersonated venture capital firms in Japan, the U.S., and other countries to then target start-up companies with phishing e-mails or watering hole attacks.
North Korea’s Other Cyber Cash Cow: Overseas IT Workers
U.N. Security Council Resolution 2397 (adopted in December 2017) required U.N. member states to repatriate all North Korean workers within their borders by December 2019. Despite this edict, thousands of highly skilled North Korean information technology workers currently operate in Belarus, China, Malaysia, the Philippines, Russia, and Singapore. The North Koreans use false foreign identities to fraudulently gain employment as freelance computer engineers with technology and virtual currency companies located in Asia, Europe, and North America.
Some North Korean IT workers can each earn more than $300,000 per year with 90 percent of the wages going to the regime. Overall, the program generates hundreds of millions of dollars annually for the regime to fund its nuclear and missile programs.
Most of the North Korean IT workers are likely engaged in non-hacking computer activity in sectors including software development, business, health and fitness, social networking, entertainment, and lifestyle. They have often been involved in virtual currency companies that enable them to launder illicitly obtained funds back to North Korea.
Some North Korean workers, however, have engaged in malicious cyber activities by utilizing their access through foreign companies where they are employed. The South Korean government identified that a significant percentage of the North Korean IT workers are subordinate to entities that have been designated for sanctions under U.N. Security Council resolutions, such as the Munitions Industry Department and Ministry of National Defense.
U.S. and South Korean Responses to North Korean Cybercrimes
North Korea has scored numerous cybercrime successes providing billions of dollars in illicit gains to fund the regime’s nuclear and missile programs. However, in recent years Washington and Seoul have both stepped up law enforcement measures to combat North Korea’s cyberattack strategies.
The inauguration of South Korean President Yoon Suk Yeol has been particularly noteworthy for rejecting his predecessor’s practice of overlooking North Korean transgressions and instead upholding laws, as well as working more closely with the United States and the international community. Under the Yoon administration, South Korea issued its first independent sanctions targeting North Korean cyber activities and was the first country to sanction North Korean hacking group Kimsuky.
What Washington Should Do
In order to crack down on North Korean cybercrime, Washington should:
Enhance Engagement with International Partners. The U.S. should expand coordination with foreign governments, law enforcement agencies, and financial regulatory agencies at the national level and, through them, regional and domestic partners. Washington should take the lead in engaging with foreign financial institutions and businesses to disseminate information on North Korean cyber hacking and money-laundering tactics, techniques, and procedures as well as eliciting information on cyberattack or suspicious activities.
The U.S. should utilize the Quad (Australia, India, Japan, and the United States) Senior Cyber Group to engage with other Indo–Pacific nations, especially South Korea, to coordinate enhanced cyber defenses. At its February 2023 meeting, the Senior Cyber Group committed to greater sharing of information and technology with regional partners to strengthen preventive measures against malicious cyberattacks and improve response capabilities.
Sanction Any Entities Assisting North Korean Cybercrimes. Washington should make sure that financial entities fully comply with existing regulations, including those that apply to cryptocurrency, or risk losing their access to the SWIFT financial transaction network or ability to maintain correspondent accounts in the U.S. financial system. The Departments of the Treasury and Justice should target banks, financial institutions, and front companies that are used to launder money stolen by North Korea. Successive U.S. Administrations have inexplicably refrained from imposing sanctions on Chinese banks for laundering North Korean illicit funds.
The United States should apply secondary sanctions on any entity supporting North Korean cybercrimes and malicious cyber activity, including providing technology, equipment, training, and safe haven to North Korean hackers. Washington could thus pressure China and other nations to dismantle North Korean hacking networks on their soil.
Similarly, Internet service providers and telecommunications companies should be required to exercise due diligence against cybercrime. Those that do not should also lose their protections against civil liability.
Target North Korean Overseas IT Workers. U.N. Resolution 2397 required the expulsion of all North Korean workers on foreign soil by December 2019. The U.S. should request countries to eject or extradite North Korean workers, particularly those engaged in IT work, to reduce a substantial source of illicit funding for the regime’s nuclear and missile programs. Failure to do so could lead to sanctions against government agencies, companies, or individuals or termination of U.S. Department of Commerce technology export licenses of nations.
The U.S. should also urge companies to conduct more rigorous identification checks and stringent authentication measures to prevent inadvertent hiring of North Korean IT workers as independent contractors.
Support Third-Party Civil Suits Against Enablers of Cyberattacks. Congress should enact a limited exception to the Foreign Sovereign Immunities Act to facilitate civil suits against foreign states that have repeatedly sponsored or facilitated cyberattacks against U.S. critical infrastructure. This exception should not waive foreign sovereign immunity for state-directed espionage against the U.S. government, but only with respect to state-sponsored cyberattacks intended to cause commercial harm, property damage, personal injury, an invasion of privacy against a private person, or any change in the conduct of a private person.
Similarly, Congress should enact a limited waiver of nonliability provisions, such as section 230 of the Communications Decency Act, allowing the recovery of civil damages against any person or entity that willfully or negligently facilitates a cyberattack against a U.S. person or U.S. critical infrastructure. Private actors should be allowed to sue state-sponsored hackers to obtain civil judgments against hackers and their state sponsors for cyberattacks on U.S. critical infrastructure. An additional measure would be to allow recovery from the assets of third-party enablers, such as the Chinese bankers that are laundering North Korea’s stolen cryptocurrency.
Enhance Cyber Administrative Enforcement Authority. The FBI, U.S. Immigration and Customs Enforcement, and the Justice Department often disrupt cyber threats by filing ex parte injunctive suits and obtaining orders from federal district courts to seize the domains and servers that constitute hackers’ command and control (C2) infrastructure, including domains, botnets, and malicious code. Currently, no federal agency has the authority to forfeit hackers’ C2 infrastructure administratively. The U.S. should work with other nations to provide similar enforcement overseas.
Congress could grant an appropriate federal agency administrative forfeiture authority to seize and forfeit hackers’ C2 infrastructure and other proceeds or facilitating property which would reduce demand on limited judicial and prosecutorial resources and expedite the government’s response. The legislation would be similar to existing laws prohibiting material support to terrorists, such as 18 U.S. Code §§ A, B, and C.
Congress should consider giving an appropriate federal agency civil penalty authority, against facilitators that knowingly or negligently facilitate malicious cyberattacks that may be traceable to states that have repeatedly sponsored cyberattacks against U.S. persons or U.S. critical infrastructure. Such authority would be analogous to the Treasury Department’s penalty authority against banks that facilitate money laundering by failing to comply with their know-your-customer obligations.
North Korean cyber operations are a strategic threat to the United States, its partners, and the licit international financial network. Pyongyang’s cybercrimes provide a means for North Korean cyber hackers to circumvent sanctions and undermine international measures to curtail the regime’s prohibited nuclear and missile programs.
The United States, in conjunction with foreign governments and the private sector, needs to augment cyber defenses and respond more forcefully to attacks. Failure to do so enables North Korea to continue undermining the effectiveness of international sanctions and leaves the United States and its partners exposed to a potentially devastating cyberattack in the future.
Bruce Klingner is Senior Research Fellow in the Asian Studies Center at The Heritage Foundation.
Compendium of Recent U.S. and South Korean Law Enforcement Actions Against North Korean Cyber Threats
This appendix provides an update to a 2021 Special Report by the author.
February 2021. The U.S. indicted three North Korean hackers for participating in a
wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.
Washington also charged a Canadian–American citizen with engaging in several money-laundering operations for North Korea.
April 2022. A U.S. court sentenced Virgil Griffith, an American cryptocurrency expert, to 63 months in prison for making an unauthorized trip to North Korea to teach North Koreans how to use cryptocurrency and blockchain technology to launder money and evade U.S. sanctions.
May 2022. The U.S. issued its first sanctions against a virtual currency mixer. Washington cited the firm Blender for providing support to North Korean malicious cyber activities and money laundering of stolen virtual currency. Blender had more than $20.5 million of the $620 million stolen from the Ronin Network by North Korea hackers.
July 2022. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury released a joint cybersecurity advisory to highlight North Korean hackers infecting U.S. hospital computer systems with ransomware to freeze company files until a payment was made.
August 2022. The Department of the Treasury sanctioned virtual currency mixer Tornado Cash for laundering more than $7 billion worth of virtual currency since its creation in 2019. The company laundered $455 million stolen by the North Korean Lazarus Group, $96 million from the June 2022 Harmony Bridge Heist, and at least $7.8 million from the August 2, 2022, Nomad Heist.
September 2022. The Department of Justice and the FBI announced the recovery of more than half a million dollars in ransom payments from disrupting North Korean ransomware operations targeting U.S. medical facilities.
September 2022. The FBI and cryptosecurity companies were able to seize more than $30 million worth of cryptocurrency stolen from the Ronin Network by North Korea–linked hackers.
March 2023. U.S. and European authorities sanctioned cryptocurrency platform ChipMixer for laundering more than $3 billion of criminal proceeds, including $700 million stolen by North Korean hackers from the Ronin Network and Harmony technology company.
April 2023. The U.S. charged a North Korean Foreign Trade Bank representative for cryptocurrency money-laundering conspiracies on behalf of North Korea. The representative used stolen funds from virtual currency exchange hacks to make payments in U.S. dollars to buy goods for North Korea. He also conspired with North Korean IT workers to generate and launder revenue from illegal employment at blockchain development companies in the United States.
April 2023. The U.S. Department of the Treasury’s Office of Foreign Assets Control sanctioned three individuals operating in China for facilitating North Korean cryptocurrency money laundering used to fund weapons of mass destruction and missile programs.
May 2023. The Treasury Department sanctioned four entities and one individual linked to North Korean hacking and IT scams. The U.S. designated Pyongyang University of Automation for providing training for Reconnaissance General Bureau (RGB) intelligence assets, along with two other RGB-controlled operation centers (the Technical Reconnaissance Bureau and the 110th Research Center) conducting offensive cyber operations. The Treasury Department also sanctioned Chinyong Information Technology Cooperation Company and Kim Sang Man for assisting North Korean IT workers in falsifying identities to work overseas in defiance of a U.N. resolution.
South Korean Actions
February 2023. South Korea sanctioned seven North Korean entities and four individuals that raised funds for the regime’s nuclear and missile programs. These were Seoul’s first independent sanctions targeting North Korean cyber activities. The entities were the Chosun Expo Joint Venture, Lazarus Group, Bluenoroff, Andariel, the RGB’s Technology Reconnaissance Team, the Unit 110 hacking group, and the Pyongyang University of Automation.
June 2023. South Korea sanctioned North Korean hacking group Kimsuky, the first government to do so. As of June 2023, the South Korean government had sanctioned 43 individuals and 45 organizations linked to North Korea’s illicit cyber activities.
Coordinated U.S.–South Korean Actions
May 2022 Summit in South Korea. Presidents Yoon and Biden committed to “significantly” expanding bilateral cooperation to confront North Korean cyber threats and to reinforce alliance deterrence against the North’s destabilizing activities.
August 2022. The U.S. and South Korea agreed to upgrade cyber cooperation and regularize combined cyber exercises. South Korea’s Cyber Operations Command and the U.S. Cyber Command signed a memorandum of understanding on “cooperation and development in cyberspace operations.”
October 2022. South Korea participated in the U.S.-led Cyber Flag multinational cyber exercise for the first time and agreed to regularly participate.
April 2023 Summit in Washington. Presidents Yoon and Biden established a bilateral Strategic Cybersecurity Cooperation Framework to “expand cooperation on deterring cyber adversaries, increase the cybersecurity of critical infrastructure, combat cybercrime, and secure cryptocurrency and blockchain applications.” The two leaders committed to expanding information sharing to combat North Korean cyber threats and block its cyber-enabled revenue generation.
April 2023. The U.S. and South Korea simultaneously sanctioned Sim Hyon-sop, a North Korean banking official, for financing the regime’s nuclear and missile programs through illegal cyber activities. Sim also laundered millions of dollars, including cryptocurrency, earned by North Korean IT workers illegally working overseas using false identities.
May 2023. South Korea and the U.S. jointly announced sanctions on seven North Koreans and three organizations responsible for overseeing North Korean IT workers illegally earning and laundering money overseas.
June 2023. The U.S. and South Korea created the first joint cybersecurity guidance to link South Korea’s Allied Korea Joint Command and Control System and the U.S. Combined Enterprise Regional Information Exchange System–Korea. The guidance will establish cybersecurity standards and procedures.