--- title: "North Korean Hackers: From Sony Pictures to Billion-Dollar Heists" description: "Almost exactly a decade ago, North Korea made global headlines for hacking into the computer systems of Sony Pictures in retaliation for a Seth Rogen comedy that mocked Kim Jong-Un. The incident seemed weird and ridiculous at the time, yet it carried a faint whiff of menace that few took seriously. Beyond the memes it inspired, however, the Sony Pictures hack was a warning that the threat from Pyongyang was only growing—particularly regarding cyber capabilities. Fast forward to today, and North Korean hackers are no longer a punchline. The last decade has seen their techniques grow in sophistication to the point where the DPRK has become the prime suspect in everything from billion-dollar bank heists to the stealing of nuclear secrets. According to experts, the threat is likely to only get worse.\n\n## Key Takeaways\n\n- North Korea has evolved from the 2014 Sony Pictures hack into a sophisticated cyber threat, now suspected in billion-dollar heists and theft of nuclear secrets.\n- Despite having minimal electricity and less than 1% internet access among citizens, the DPRK has produced some of Earth's most successful cyber espionage teams through elite recruitment of mathematical prodigies.\n- The Reconnaissance General Bureau (RGB) and its sub-groups like Lazarus and Kimsuky are responsible for most attacks, with 72% of known DPRK hacks targeting data theft rather than financial gain.\n- North Korea stole over $3 billion in cryptocurrency between 2019-2024, exceeding the country's annual foreign trade volume since 2019.\n- The regime operates below the retaliation threshold deliberately, conducting cyber operations that are damaging but not severe enough to justify military response against a nuclear-armed state.\n- North Korea targets even its allies Russia and China for military technology secrets, demonstrating its willingness to hack any nation for critical information.\n\n## Stealing Secrets: The Paradox of North Korean Cyber Capabilities\n\nNorth Korea exists in a near-permanent blackout, a nation so poor that electricity is almost unheard of outside the capital, Pyongyang. Satellite imagery traveling over the Hermit Kingdom at night sees almost nothing—while South Korea and China glow with the light of cities clustered like distant stars, North Korea remains dark and silent, appearing stuck in the pre-modern era.\n\nThe statistics on internet usage bear out this technological backwardness. In 2021, the New Yorker noted that fewer than one percent of the DPRK's citizens have access to the internet. The country's digital infrastructure is so weak that in early 2022, one individual in Florida managed to knock the entire nation offline for days between trips to the fridge for beer and snacks. This is just about the least technologically-adept nation imaginable—a place where even a time traveler from the late-Victorian era would find it backwards.\n\nYet North Korea's general lack of electricity and internet disguises one weird, counterintuitive fact: in recent years, the DPRK has produced some of the most successful cyber espionage teams on Earth. One interviewee in the New Yorker article compared the idea of DPRK hackers to Jamaica producing a world class bobsleigh team. Foreign Policy summarized the contradictions, noting that North Korea \"is at once a closed-off communist autocracy that is cash-strapped, impoverished, and more isolated than ever before, while also being tech savvy, entrepreneurial, and ruthlessly adept at trawling the web to loot, steal, and—most importantly of all—find ways to advance its nuclear weapons program.\"\n\nThis paradox has become such a problem that intelligence agencies are sounding warning alarms. In July of this year, South Korea, the UK, and US issued a joint alert about DPRK hackers targeting military and nuclear secrets. According to the BBC's report, the hacker group has been seeking information in a wide range of areas—from uranium processing to tanks, submarines and torpedoes—and has targeted the UK, US, South Korea, Japan, India and elsewhere.\n\nThe operations trace back to one primary entity: the RGB, or Reconnaissance General Bureau. The RGB is responsible for some of the most high-profile North Korean cybercrimes, including the Sony Pictures hack and the stealing of cryptocurrency from major exchanges. According to Foreign Policy, the RGB unit responsible for cyber is further broken into sub-groups. While hackers from Lazarus tend to target global entities, a lesser-known division called Kimsuky focuses on hacking Asian governments.\n\nThese aren't the only entities involved. While the RGB is behind most attacks that appear in the news, a whole separate division of hackers operates under the wing of the General Staff Department of the military. Known as the Enemy Collapse Sabotage Bureau, they focus on psychological warfare.\n\nBroadly, most North Korean hackers are after one of two things: money or information. The financial crimes tend to be flashier and get more media attention—such as the Bank of Bangladesh hack that nearly cost the country a billion dollars in 2016. Spectacular heists such as this, along with the regular plundering of cryptocurrency, appear to be ways of quickly raising the foreign currency the regime needs to keep its nuclear program ticking over.\n\nYet financial hacks are rarer than many realize. An analysis by cyber-security company Recorded Future found that financial motivation was behind just 24 percent of known DPRK hacks. An even smaller percentage were motivated by the desire to disrupt life in an enemy nation. By contrast, nearly 72 percent of hacks were attempts to steal data.\n\nIn most cases, the data targeted is information linked to military technologies. A recent piece in the New York Times concluded that DPRK hackers had targeted not only South Korea and Taiwan in recent years, but also China. Among the data stolen were \"technical and design information about military weapons and vehicles, such as tanks, fighter jets, rockets and torpedoes.\" Other times, the intruders seemed to be hunting for information on Western war planning, although most of Pyongyang's efforts seem focused on Asia.\n\nWhile North Korean operations have been recorded in 150 countries worldwide, nearly two thirds of all known DPRK cyber-attacks targeted South Korea. Less than a tenth targeted the USA. Most of the rest targeted a semi-random smattering of Asian nations. Still, this doesn't mean those living outside Asia can simply shrug and forget about it—Pyongyang's offensive cyber capabilities are only growing, and there are worrying signs that certain nations are facilitating its rise.\n\n## Dark History: The Evolution of North Korea's Cyber Warfare Program\n\nIn the more desirable districts of Pyongyang, one might pass the home of a successful hacker. Aside from those in the military's upper echelons, regime-sponsored cyber criminals are among the few North Koreans who might be deemed worthy of having a comfortable home and a decent car. In the DPRK, such items are an obscene luxury. Most citizens of Pyongyang—where, remember, only elites are allowed to live—can't afford regular meals. During the food crisis of 2023, there were reports of city residents starving to death in their apartments.\n\nBy DPRK standards, the rewards available to hackers are enormous. As well as owning homes and cars and getting fed, they might even be allowed to travel abroad to China—an extreme rarity for a nation that almost never lets its citizens leave. Yet becoming a hacker is not a career path open to most. In their long 2021 article on the subject, the New Yorker explained that there are only about 7,000 people in the DPRK's various cybercrime units out of a total population of 26 million.\n\nAll of them are former child prodigies who stood out at a young age for being especially good at mathematics. Sent to specialized high schools that allowed them to use computers, they were then recruited into one of two universities in Pyongyang that specialize in advanced coding. After that, the absolute best stayed on in Pyongyang, while the less-good were likely among those sent to outposts in China to carry out low-level cybercrimes.\n\nThere's considerable suspicion that Beijing is well aware of what the RGB is up to and may even be facilitating it. Similar suspicion falls on Russia. Yet even if Beijing and Moscow are helping Pyongyang carry out its cybercrimes, it's unlikely that this is the worst North Korean behavior they've witnessed. After all, the DPRK has been involved in all sorts of illicit activity since the moment of its creation.\n\nThe Economist recently covered some of the activities Pyongyang has dabbled in over the years: smuggling, counterfeiting, and even cooking and selling crystal meth, like a nation of Walter Whites. Things got worse in the 1990s when the Soviet Union collapsed and Pyongyang lost its source of cheap imports. As sanctions were placed on the North Korean economy, the Kim family turned to increasingly desperate schemes to get hold of foreign currency.\n\nIt was around this time that the regime started to show an interest in cyber, initially for military purposes. Kim Jong-Il had watched the US utilize electronic warfare during the Gulf War to jam Iraqi radar systems and wanted a piece of that action. Yet it would only be with the rise to power of his son, Kim Jong-Un, in 2011 that North Korea went all in on its cyber capabilities.\n\nBecause he's seen as such a comical figure in the West, it can be easy to forget that Kim Jong-Un received an expensive education. When studying in Switzerland, he's known to have taken computer science classes. While no one is claiming he's some sort of mathematical genius, those lectures clearly left an impression. As the Economist writes, Kim \"significantly expand(ed) the country's cyber-warfare capabilities after he assumed power in 2011.\"\n\nBy 2012, the dear leader was talking about cyber as being on the same level as the country's nuclear weapons program, as part of the \"all-purpose sword\" that could be used to strike anywhere. At the time, anyone outside the country who heard this probably just smirked—how was a nation with barely any electricity going to compete with advanced nations like South Korea and the US in the cyber domain? But even in 2012, the DPRK was already starting to grow proficient at hacking, and the next few years would demonstrate its prowess to the entire world.\n\n## Offensive Capabilities: From Sony Pictures to Billion-Dollar Heists\n\nFor most ordinary people, the Sony Pictures hack would be the first time they heard of North Korea's cyber capabilities. Taking place in November of 2014, the attack saw the company taken offline for days on end, internal company emails splashed across the internet, and scripts and footage from major upcoming movies made public. So embarrassing was some of the leaked content that powerful people at Sony lost their jobs. Really, though, the Sony Pictures hack was relatively small-fry stuff—a public revenge attack conducted by a regime angered about a movie depicting its dear leader in an unflattering light.\n\nIn terms of sheer scale and audacity, it would be 2016, rather than 2014, that saw North Korea's cyber-attacks go supernova. The reason why the regime began to lean so heavily on hacking from 2016 on is still the subject of some debate. It could be that new sanctions introduced that year following a nuclear test made Pyongyang even more desperate for foreign currency. It could also be that North Korea's capabilities only really matured that year, allowing them to pull off bigger attacks.\n\nWhat's not up for debate is that 2016 saw a spike in cybercrime linked to the DPRK that hasn't really abated since. And it began with two major hacks: one financial, one targeting data. Arguably, the one targeting data was the more destructive, since it saw over 200 gigabytes stolen from South Korea's military. This included top secret material like Operational Plan 5015, which detailed how Seoul would try to decapitate North Korea's leadership in the opening hours of a war.\n\nIn terms of publicity, though, it was the financial hack that got the world's attention. Targeting Bangladesh's national bank, the heist came close to costing the country a billion dollars. That we can use the word \"close\" in that sentence is purely down to blind luck. The hackers filed thirty-five fake transactions that would've dispatched a billion dollars to different banks in Asia, from which the money would've quickly been withdrawn and then laundered through Philippine casinos.\n\nFortunately for Bangladesh, one of those banks was located on Jupiter Street in Manila. Since \"Jupiter\" is also the name of a sanctioned Iranian shipping firm, the word triggered anti-fraud checks—at which point the world discovered the massive heist underway. In the end, that absurd coincidence saved over $900 million from vanishing into North Korean pockets. Yet despite its failure, Pyongyang still made off from the heist with over $80 million.\n\nMore importantly, the heist revealed growing North Korean capabilities. It was a complex piece of work, requiring imagination and a whole lot of patience. And it showed the regime's ability to go after big money. Just three years later, the UN would estimate that Pyongyang had stolen over two billion dollars across the decade.\n\nNor was stealing all the regime's hackers did. In the years between the attack on Bangladesh Bank and the UN report, North Korea also launched the massive ransomware attack known as WannaCry. That incident saw targets as varied as Britain's National Health Service, the Taiwan Semiconductor Manufacturing Company, and a Boeing plant in South Carolina get knocked offline, before a 22-year-old malware expert found the virus's kill switch and stopped its spread.\n\nReally, though, it was only after 2019 that North Korea's cyber schemes became particularly lucrative, thanks to the rise of cryptocurrencies. While Bitcoin had made news over the 2010s, it was really only with the onset of the pandemic that cryptocurrencies hit the mainstream—as more and more people trapped at home in uncertain times tried to turn a quick buck. This is the era when Bitcoin hit what was then its absolute peak, when memecoins like Dogecoin briefly became hugely valuable.\n\nIt was also the era when North Korea became adept at breaking into crypto exchanges and emptying out the wallets where all their customers' coins were held. Earlier this year, the Lawfare blog estimated that the regime stole over $3 billion in crypto between 2019 and early 2024. As the author notes: \"For perspective, North Korea's annual foreign trade volume—long its chief source of hard currency—has not surpassed that figure since 2019.\"\n\nOf course, stealing money from crypto exchanges is one thing. Were that all North Korea was doing, it probably wouldn't warrant such concern. But as mentioned earlier, Pyongyang's ambitions go way beyond stealing cryptocurrency. Back in 2022, Reuters reports that the Kim regime stole over 17 gigabytes of data from NASA. Today, the DPRK is targeting nuclear secrets and information on advanced weapons. Clearly, this is serious stuff, raising an important question: is there anything the rest of the world can do about it?\n\n## Repercussions: The Challenge of Responding to North Korean Cyber Threats\n\nEven among pariah states, North Korea is exceptionally friendless. China props it up because it's convenient for Beijing to have a buffer between their border and US-aligned South Korea. Russia sells Kim advanced technology, but only because Vladimir Putin is desperate for munitions to use in his war against Ukraine. Aside from that, Pyongyang is pretty much the weird kid no one talks to, beyond occasional outreach by states like Iran.\n\nYet despite having maybe only two friends in all the world, North Korea hasn't made an exception for either of them where hacking is concerned. In recent years, both China and Russia have been targeted by the RGB. In the case of Russia, hackers broke into the computers of a major missile manufacturer in 2022 and spent five months with access before they were discovered. Nor was this a one-off. Record Media reports that in 2023, \"the majority of state-sponsored cyberattacks against Russia originated from North Korea and China.\"\n\nParticularly active are thought to be the Lazarus group, who were still inside various Russian systems as late as November of 2023. Given Russia is one of North Korea's few allies, the fact that Pyongyang is trying to steal data on their missiles does not bode well for restraining Kim's cyber capabilities. As Reuters put it: \"Experts say the incident shows how the isolated country will even target its allies, such as Russia, in a bid to acquire critical technologies.\"\n\nYet even if a country wanted to push back against Pyongyang's espionage, it would be hard. The main reason being that the DPRK's hackers often operate under the threshold of retaliation. The key thing everyone has to remember about the Kim regime is that it is fundamentally weak. While the North Korean army is large, it's so technologically backwards that it would lose a conventional war with South Korea in days—even if Uncle Sam didn't join in on Seoul's side. The country Kim presides over is malnourished and trapped in biting poverty. So terrified is the regime of outside influences that it has taken to executing teenagers for the crime of listening to foreign music.\n\nIn other words, this is a state that would collapse if any Western nation intervened in it. Hence why Pyongyang invests so much of its limited money in weapons of mass destruction. Kim's entire strategy is to make sure everyone thinks that trying to change North Korea would be too costly to contemplate. The flip side, though, is that Pyongyang also needs to make sure it never forces a response from its enemies—that it never does anything so egregious that the US has no choice but to retaliate, nuclear weapons be damned.\n\nAs a result, the DPRK's approach to cyber is similar to its approach in other domains. It likes to steal and cheat and cause chaos, but always below the threshold that would invite retaliation. Remember, this is a country that had its entire internet knocked offline by one dude in Florida. Can you imagine the damage a concerted, US-led cyber-attack could do? Well, Kim can. And he wants to make sure he never has to experience it firsthand. Which is why it's hard to imagine the West ever managing to solve the problem of DPRK hackers. So long as Kim doesn't cross any red lines, it's just not worth the risk retaliating against a lunatic armed with nukes.\n\nNow, that's not to say the West has never tried to reign in North Korean cybercrime. The Lawfare blog reports that starting in 2022, the US began cracking down hard on online exchanges that allowed the DPRK to launder stolen crypto. The good news is that many of these exchanges were taken offline, which impacted other users such as drug cartels and the Russian mafia. The bad news is that the North Koreans quickly adapted, finding other ways to launder money instead.\n\nOther times, the West seems stuck simply trying to send a message. Earlier this summer, for example, a US court indicted RGB operative Rim Jong Hyok for hacking American healthcare providers. As AP News explains, though: \"An arrest of Rim is unlikely, so the biggest outcome of the indictment is that it may lead to sanctions that could cripple the ability of North Korea to collect ransoms this way.\" That's a win for healthcare providers worried about ransomware attacks, but it won't stop Pyongyang from finding ways to steal money elsewhere. In the same article, one of the AP's interviewees predicted that it'll simply lead to more crypto exchanges being targeted.\n\nAll of which means that North Korean cybercrime might be something we're stuck with for the foreseeable future. A wave of criminality that steals military secrets, siphons cash away from unwitting investors, and causes occasional disruption—all without ever crossing the threshold where it would merit retaliation. And that, really, is the DPRK in a nutshell: a constant spoiler on the international scene, a place that thrives on disorder and criminality, yet also a place that the world has been unable to do anything about for decades.\n\nSeen this way, North Korea's hackers are just another element added into the mix. Another annoyance that other states have to put up with. Another danger to guard against. But as that danger continues to grow, it's something the world needs to be more aware of. The media may today be more focused on events in Ukraine and the Middle East, but North Korea remains a potent threat. And the cyber espionage we're seeing today may be only the beginning.\n\n## Related Coverage\n- [The UAE is Destabilizing the Entire Middle East](https://warfronts.pub/conflicts/the-uae-is-destabilizing-the-entire-middle-east)\n- [How the UAE's Regional Meddling Triggered a Historic Realignment Across the Middle East](https://warfronts.pub/geopolitics/uae-destabilizing-middle-east-regional-realignment-2026)\n- [The UAE's Regional Ambitions Collapse as Middle East Powers Push Back](https://warfronts.pub/geopolitics/uae-regional-ambitions-collapse-middle-east-pushback)\n\n## Frequently Asked Questions\n\n### How can North Korea produce elite hackers when most citizens lack electricity and internet access?\n\nNorth Korea recruits approximately 7,000 mathematical child prodigies from its 26-million population, sending them to specialized high schools and two elite Pyongyang universities focused on advanced coding. These hackers receive exceptional privileges by DPRK standards — homes, cars, regular meals, and sometimes permission to travel to China. The regime has treated cyber as equivalent to its nuclear weapons program since Kim Jong-Un took power in 2011, calling it part of the \"all-purpose sword\" that could strike anywhere.\n\n### What are North Korean hackers primarily after?\n\nAccording to Recorded Future analysis, 72% of known DPRK hacks target data theft, particularly military technologies such as tanks, fighter jets, rockets, torpedoes, and nuclear secrets. Only 24% are financially motivated. Nearly two-thirds of all known attacks target South Korea, with less than a tenth targeting the USA, though operations have been recorded in 150 countries worldwide.\n\n### What are the biggest North Korean cyber operations on record?\n\nKey operations include the 2014 Sony Pictures hack; the 2016 Bangladesh Bank heist that netted over $80 million despite being partially stopped; theft of more than 200 gigabytes from South Korea's military in 2016 including war plans; the global WannaCry ransomware attack that hit Britain's NHS, Taiwan Semiconductor, and Boeing; theft of 17 gigabytes from NASA in 2022; and over $3 billion stolen from cryptocurrency exchanges between 2019 and early 2024 — exceeding North Korea's entire annual foreign trade volume.\n\n### Why doesn't the West retaliate more forcefully?\n\nNorth Korea deliberately operates below the retaliation threshold, ensuring attacks are damaging but not severe enough to justify military action against a nuclear-armed state. The regime is fundamentally weak and would collapse under Western intervention, which is precisely why it invests in weapons of mass destruction as deterrence. One individual in Florida was able to knock North Korea's entire internet offline, illustrating the country's own vulnerability — something Kim Jong-Un is careful to avoid provoking.\n\n### Does North Korea hack its allies Russia and China?\n\nYes. Despite Russia and China being its only meaningful allies, North Korea has targeted both. In 2022, RGB hackers broke into a major Russian missile manufacturer's computers and maintained access for five months. In 2023, the majority of state-sponsored cyberattacks against Russia originated from North Korea and China, and the Lazarus group was still inside various Russian systems as late as November 2023. North Korea has also stolen technical and design information on Chinese military weapons and vehicles.\n\n## Sources\n- \n- \n- \n- \n- \n- \n- \n- \n- \n- \n- \n- \n- \n\n" url: https://warfronts.pub/article/north-korean-hackers-growing-cyber-threat.md canonical: https://warfronts.pub/article/north-korean-hackers-growing-cyber-threat datePublished: 2026-02-17 dateModified: 2026-02-17 author: - name: Simon Whistler url: https://warfronts.pub/author/simon-whistler publisher: Warfronts image: "https://media.warfronts.pub/cdn-cgi/image/width=1600,height=900,fit=cover,quality=80,format=auto/articles/YHsyYt9NSdo/hero.jpg" type: NewsArticle contentHash: dadad5b2d658ea87ab16c51aa1fc5686aea0bddffb03e1198646cd11c5000916 tokens: 6385 summaryUrl: https://warfronts.pub/article/north-korean-hackers-growing-cyber-threat.md.summary.md --- Almost exactly a decade ago, North Korea made global headlines for hacking into the computer systems of Sony Pictures in retaliation for a Seth Rogen comedy that mocked Kim Jong-Un. The incident seemed weird and ridiculous at the time, yet it carried a faint whiff of menace that few took seriously. Beyond the memes it inspired, however, the Sony Pictures hack was a warning that the threat from Pyongyang was only growing—particularly regarding cyber capabilities. Fast forward to today, and North Korean hackers are no longer a punchline. The last decade has seen their techniques grow in sophistication to the point where the DPRK has become the prime suspect in everything from billion-dollar bank heists to the stealing of nuclear secrets. According to experts, the threat is likely to only get worse. ## Key Takeaways - North Korea has evolved from the 2014 Sony Pictures hack into a sophisticated cyber threat, now suspected in billion-dollar heists and theft of nuclear secrets. - Despite having minimal electricity and less than 1% internet access among citizens, the DPRK has produced some of Earth's most successful cyber espionage teams through elite recruitment of mathematical prodigies. - The Reconnaissance General Bureau (RGB) and its sub-groups like Lazarus and Kimsuky are responsible for most attacks, with 72% of known DPRK hacks targeting data theft rather than financial gain. - North Korea stole over $3 billion in cryptocurrency between 2019-2024, exceeding the country's annual foreign trade volume since 2019. - The regime operates below the retaliation threshold deliberately, conducting cyber operations that are damaging but not severe enough to justify military response against a nuclear-armed state. - North Korea targets even its allies Russia and China for military technology secrets, demonstrating its willingness to hack any nation for critical information. ## Stealing Secrets: The Paradox of North Korean Cyber Capabilities North Korea exists in a near-permanent blackout, a nation so poor that electricity is almost unheard of outside the capital, Pyongyang. Satellite imagery traveling over the Hermit Kingdom at night sees almost nothing—while South Korea and China glow with the light of cities clustered like distant stars, North Korea remains dark and silent, appearing stuck in the pre-modern era. The statistics on internet usage bear out this technological backwardness. In 2021, the New Yorker noted that fewer than one percent of the DPRK's citizens have access to the internet. The country's digital infrastructure is so weak that in early 2022, one individual in Florida managed to knock the entire nation offline for days between trips to the fridge for beer and snacks. This is just about the least technologically-adept nation imaginable—a place where even a time traveler from the late-Victorian era would find it backwards. Yet North Korea's general lack of electricity and internet disguises one weird, counterintuitive fact: in recent years, the DPRK has produced some of the most successful cyber espionage teams on Earth. One interviewee in the New Yorker article compared the idea of DPRK hackers to Jamaica producing a world class bobsleigh team. Foreign Policy summarized the contradictions, noting that North Korea "is at once a closed-off communist autocracy that is cash-strapped, impoverished, and more isolated than ever before, while also being tech savvy, entrepreneurial, and ruthlessly adept at trawling the web to loot, steal, and—most importantly of all—find ways to advance its nuclear weapons program." This paradox has become such a problem that intelligence agencies are sounding warning alarms. In July of this year, South Korea, the UK, and US issued a joint alert about DPRK hackers targeting military and nuclear secrets. According to the BBC's report, the hacker group has been seeking information in a wide range of areas—from uranium processing to tanks, submarines and torpedoes—and has targeted the UK, US, South Korea, Japan, India and elsewhere. The operations trace back to one primary entity: the RGB, or Reconnaissance General Bureau. The RGB is responsible for some of the most high-profile North Korean cybercrimes, including the Sony Pictures hack and the stealing of cryptocurrency from major exchanges. According to Foreign Policy, the RGB unit responsible for cyber is further broken into sub-groups. While hackers from Lazarus tend to target global entities, a lesser-known division called Kimsuky focuses on hacking Asian governments. These aren't the only entities involved. While the RGB is behind most attacks that appear in the news, a whole separate division of hackers operates under the wing of the General Staff Department of the military. Known as the Enemy Collapse Sabotage Bureau, they focus on psychological warfare. Broadly, most North Korean hackers are after one of two things: money or information. The financial crimes tend to be flashier and get more media attention—such as the Bank of Bangladesh hack that nearly cost the country a billion dollars in 2016. Spectacular heists such as this, along with the regular plundering of cryptocurrency, appear to be ways of quickly raising the foreign currency the regime needs to keep its nuclear program ticking over. Yet financial hacks are rarer than many realize. An analysis by cyber-security company Recorded Future found that financial motivation was behind just 24 percent of known DPRK hacks. An even smaller percentage were motivated by the desire to disrupt life in an enemy nation. By contrast, nearly 72 percent of hacks were attempts to steal data. In most cases, the data targeted is information linked to military technologies. A recent piece in the New York Times concluded that DPRK hackers had targeted not only South Korea and Taiwan in recent years, but also China. Among the data stolen were "technical and design information about military weapons and vehicles, such as tanks, fighter jets, rockets and torpedoes." Other times, the intruders seemed to be hunting for information on Western war planning, although most of Pyongyang's efforts seem focused on Asia. While North Korean operations have been recorded in 150 countries worldwide, nearly two thirds of all known DPRK cyber-attacks targeted South Korea. Less than a tenth targeted the USA. Most of the rest targeted a semi-random smattering of Asian nations. Still, this doesn't mean those living outside Asia can simply shrug and forget about it—Pyongyang's offensive cyber capabilities are only growing, and there are worrying signs that certain nations are facilitating its rise. ## Dark History: The Evolution of North Korea's Cyber Warfare Program In the more desirable districts of Pyongyang, one might pass the home of a successful hacker. Aside from those in the military's upper echelons, regime-sponsored cyber criminals are among the few North Koreans who might be deemed worthy of having a comfortable home and a decent car. In the DPRK, such items are an obscene luxury. Most citizens of Pyongyang—where, remember, only elites are allowed to live—can't afford regular meals. During the food crisis of 2023, there were reports of city residents starving to death in their apartments. By DPRK standards, the rewards available to hackers are enormous. As well as owning homes and cars and getting fed, they might even be allowed to travel abroad to China—an extreme rarity for a nation that almost never lets its citizens leave. Yet becoming a hacker is not a career path open to most. In their long 2021 article on the subject, the New Yorker explained that there are only about 7,000 people in the DPRK's various cybercrime units out of a total population of 26 million. All of them are former child prodigies who stood out at a young age for being especially good at mathematics. Sent to specialized high schools that allowed them to use computers, they were then recruited into one of two universities in Pyongyang that specialize in advanced coding. After that, the absolute best stayed on in Pyongyang, while the less-good were likely among those sent to outposts in China to carry out low-level cybercrimes. There's considerable suspicion that Beijing is well aware of what the RGB is up to and may even be facilitating it. Similar suspicion falls on Russia. Yet even if Beijing and Moscow are helping Pyongyang carry out its cybercrimes, it's unlikely that this is the worst North Korean behavior they've witnessed. After all, the DPRK has been involved in all sorts of illicit activity since the moment of its creation. The Economist recently covered some of the activities Pyongyang has dabbled in over the years: smuggling, counterfeiting, and even cooking and selling crystal meth, like a nation of Walter Whites. Things got worse in the 1990s when the Soviet Union collapsed and Pyongyang lost its source of cheap imports. As sanctions were placed on the North Korean economy, the Kim family turned to increasingly desperate schemes to get hold of foreign currency. It was around this time that the regime started to show an interest in cyber, initially for military purposes. Kim Jong-Il had watched the US utilize electronic warfare during the Gulf War to jam Iraqi radar systems and wanted a piece of that action. Yet it would only be with the rise to power of his son, Kim Jong-Un, in 2011 that North Korea went all in on its cyber capabilities. Because he's seen as such a comical figure in the West, it can be easy to forget that Kim Jong-Un received an expensive education. When studying in Switzerland, he's known to have taken computer science classes. While no one is claiming he's some sort of mathematical genius, those lectures clearly left an impression. As the Economist writes, Kim "significantly expand(ed) the country's cyber-warfare capabilities after he assumed power in 2011." By 2012, the dear leader was talking about cyber as being on the same level as the country's nuclear weapons program, as part of the "all-purpose sword" that could be used to strike anywhere. At the time, anyone outside the country who heard this probably just smirked—how was a nation with barely any electricity going to compete with advanced nations like South Korea and the US in the cyber domain? But even in 2012, the DPRK was already starting to grow proficient at hacking, and the next few years would demonstrate its prowess to the entire world. ## Offensive Capabilities: From Sony Pictures to Billion-Dollar Heists For most ordinary people, the Sony Pictures hack would be the first time they heard of North Korea's cyber capabilities. Taking place in November of 2014, the attack saw the company taken offline for days on end, internal company emails splashed across the internet, and scripts and footage from major upcoming movies made public. So embarrassing was some of the leaked content that powerful people at Sony lost their jobs. Really, though, the Sony Pictures hack was relatively small-fry stuff—a public revenge attack conducted by a regime angered about a movie depicting its dear leader in an unflattering light. In terms of sheer scale and audacity, it would be 2016, rather than 2014, that saw North Korea's cyber-attacks go supernova. The reason why the regime began to lean so heavily on hacking from 2016 on is still the subject of some debate. It could be that new sanctions introduced that year following a nuclear test made Pyongyang even more desperate for foreign currency. It could also be that North Korea's capabilities only really matured that year, allowing them to pull off bigger attacks. What's not up for debate is that 2016 saw a spike in cybercrime linked to the DPRK that hasn't really abated since. And it began with two major hacks: one financial, one targeting data. Arguably, the one targeting data was the more destructive, since it saw over 200 gigabytes stolen from South Korea's military. This included top secret material like Operational Plan 5015, which detailed how Seoul would try to decapitate North Korea's leadership in the opening hours of a war. In terms of publicity, though, it was the financial hack that got the world's attention. Targeting Bangladesh's national bank, the heist came close to costing the country a billion dollars. That we can use the word "close" in that sentence is purely down to blind luck. The hackers filed thirty-five fake transactions that would've dispatched a billion dollars to different banks in Asia, from which the money would've quickly been withdrawn and then laundered through Philippine casinos. Fortunately for Bangladesh, one of those banks was located on Jupiter Street in Manila. Since "Jupiter" is also the name of a sanctioned Iranian shipping firm, the word triggered anti-fraud checks—at which point the world discovered the massive heist underway. In the end, that absurd coincidence saved over $900 million from vanishing into North Korean pockets. Yet despite its failure, Pyongyang still made off from the heist with over $80 million. More importantly, the heist revealed growing North Korean capabilities. It was a complex piece of work, requiring imagination and a whole lot of patience. And it showed the regime's ability to go after big money. Just three years later, the UN would estimate that Pyongyang had stolen over two billion dollars across the decade. Nor was stealing all the regime's hackers did. In the years between the attack on Bangladesh Bank and the UN report, North Korea also launched the massive ransomware attack known as WannaCry. That incident saw targets as varied as Britain's National Health Service, the Taiwan Semiconductor Manufacturing Company, and a Boeing plant in South Carolina get knocked offline, before a 22-year-old malware expert found the virus's kill switch and stopped its spread. Really, though, it was only after 2019 that North Korea's cyber schemes became particularly lucrative, thanks to the rise of cryptocurrencies. While Bitcoin had made news over the 2010s, it was really only with the onset of the pandemic that cryptocurrencies hit the mainstream—as more and more people trapped at home in uncertain times tried to turn a quick buck. This is the era when Bitcoin hit what was then its absolute peak, when memecoins like Dogecoin briefly became hugely valuable. It was also the era when North Korea became adept at breaking into crypto exchanges and emptying out the wallets where all their customers' coins were held. Earlier this year, the Lawfare blog estimated that the regime stole over $3 billion in crypto between 2019 and early 2024. As the author notes: "For perspective, North Korea's annual foreign trade volume—long its chief source of hard currency—has not surpassed that figure since 2019." Of course, stealing money from crypto exchanges is one thing. Were that all North Korea was doing, it probably wouldn't warrant such concern. But as mentioned earlier, Pyongyang's ambitions go way beyond stealing cryptocurrency. Back in 2022, Reuters reports that the Kim regime stole over 17 gigabytes of data from NASA. Today, the DPRK is targeting nuclear secrets and information on advanced weapons. Clearly, this is serious stuff, raising an important question: is there anything the rest of the world can do about it? ## Repercussions: The Challenge of Responding to North Korean Cyber Threats Even among pariah states, North Korea is exceptionally friendless. China props it up because it's convenient for Beijing to have a buffer between their border and US-aligned South Korea. Russia sells Kim advanced technology, but only because Vladimir Putin is desperate for munitions to use in his war against Ukraine. Aside from that, Pyongyang is pretty much the weird kid no one talks to, beyond occasional outreach by states like Iran. Yet despite having maybe only two friends in all the world, North Korea hasn't made an exception for either of them where hacking is concerned. In recent years, both China and Russia have been targeted by the RGB. In the case of Russia, hackers broke into the computers of a major missile manufacturer in 2022 and spent five months with access before they were discovered. Nor was this a one-off. Record Media reports that in 2023, "the majority of state-sponsored cyberattacks against Russia originated from North Korea and China." Particularly active are thought to be the Lazarus group, who were still inside various Russian systems as late as November of 2023. Given Russia is one of North Korea's few allies, the fact that Pyongyang is trying to steal data on their missiles does not bode well for restraining Kim's cyber capabilities. As Reuters put it: "Experts say the incident shows how the isolated country will even target its allies, such as Russia, in a bid to acquire critical technologies." Yet even if a country wanted to push back against Pyongyang's espionage, it would be hard. The main reason being that the DPRK's hackers often operate under the threshold of retaliation. The key thing everyone has to remember about the Kim regime is that it is fundamentally weak. While the North Korean army is large, it's so technologically backwards that it would lose a conventional war with South Korea in days—even if Uncle Sam didn't join in on Seoul's side. The country Kim presides over is malnourished and trapped in biting poverty. So terrified is the regime of outside influences that it has taken to executing teenagers for the crime of listening to foreign music. In other words, this is a state that would collapse if any Western nation intervened in it. Hence why Pyongyang invests so much of its limited money in weapons of mass destruction. Kim's entire strategy is to make sure everyone thinks that trying to change North Korea would be too costly to contemplate. The flip side, though, is that Pyongyang also needs to make sure it never forces a response from its enemies—that it never does anything so egregious that the US has no choice but to retaliate, nuclear weapons be damned. As a result, the DPRK's approach to cyber is similar to its approach in other domains. It likes to steal and cheat and cause chaos, but always below the threshold that would invite retaliation. Remember, this is a country that had its entire internet knocked offline by one dude in Florida. Can you imagine the damage a concerted, US-led cyber-attack could do? Well, Kim can. And he wants to make sure he never has to experience it firsthand. Which is why it's hard to imagine the West ever managing to solve the problem of DPRK hackers. So long as Kim doesn't cross any red lines, it's just not worth the risk retaliating against a lunatic armed with nukes. Now, that's not to say the West has never tried to reign in North Korean cybercrime. The Lawfare blog reports that starting in 2022, the US began cracking down hard on online exchanges that allowed the DPRK to launder stolen crypto. The good news is that many of these exchanges were taken offline, which impacted other users such as drug cartels and the Russian mafia. The bad news is that the North Koreans quickly adapted, finding other ways to launder money instead. Other times, the West seems stuck simply trying to send a message. Earlier this summer, for example, a US court indicted RGB operative Rim Jong Hyok for hacking American healthcare providers. As AP News explains, though: "An arrest of Rim is unlikely, so the biggest outcome of the indictment is that it may lead to sanctions that could cripple the ability of North Korea to collect ransoms this way." That's a win for healthcare providers worried about ransomware attacks, but it won't stop Pyongyang from finding ways to steal money elsewhere. In the same article, one of the AP's interviewees predicted that it'll simply lead to more crypto exchanges being targeted. All of which means that North Korean cybercrime might be something we're stuck with for the foreseeable future. A wave of criminality that steals military secrets, siphons cash away from unwitting investors, and causes occasional disruption—all without ever crossing the threshold where it would merit retaliation. And that, really, is the DPRK in a nutshell: a constant spoiler on the international scene, a place that thrives on disorder and criminality, yet also a place that the world has been unable to do anything about for decades. Seen this way, North Korea's hackers are just another element added into the mix. Another annoyance that other states have to put up with. Another danger to guard against. But as that danger continues to grow, it's something the world needs to be more aware of. The media may today be more focused on events in Ukraine and the Middle East, but North Korea remains a potent threat. And the cyber espionage we're seeing today may be only the beginning. ## Related Coverage - [The UAE is Destabilizing the Entire Middle East](https://warfronts.pub/conflicts/the-uae-is-destabilizing-the-entire-middle-east) - [How the UAE's Regional Meddling Triggered a Historic Realignment Across the Middle East](https://warfronts.pub/geopolitics/uae-destabilizing-middle-east-regional-realignment-2026) - [The UAE's Regional Ambitions Collapse as Middle East Powers Push Back](https://warfronts.pub/geopolitics/uae-regional-ambitions-collapse-middle-east-pushback) ## Frequently Asked Questions ### How can North Korea produce elite hackers when most citizens lack electricity and internet access? North Korea recruits approximately 7,000 mathematical child prodigies from its 26-million population, sending them to specialized high schools and two elite Pyongyang universities focused on advanced coding. These hackers receive exceptional privileges by DPRK standards — homes, cars, regular meals, and sometimes permission to travel to China. The regime has treated cyber as equivalent to its nuclear weapons program since Kim Jong-Un took power in 2011, calling it part of the "all-purpose sword" that could strike anywhere. ### What are North Korean hackers primarily after? According to Recorded Future analysis, 72% of known DPRK hacks target data theft, particularly military technologies such as tanks, fighter jets, rockets, torpedoes, and nuclear secrets. Only 24% are financially motivated. Nearly two-thirds of all known attacks target South Korea, with less than a tenth targeting the USA, though operations have been recorded in 150 countries worldwide. ### What are the biggest North Korean cyber operations on record? Key operations include the 2014 Sony Pictures hack; the 2016 Bangladesh Bank heist that netted over $80 million despite being partially stopped; theft of more than 200 gigabytes from South Korea's military in 2016 including war plans; the global WannaCry ransomware attack that hit Britain's NHS, Taiwan Semiconductor, and Boeing; theft of 17 gigabytes from NASA in 2022; and over $3 billion stolen from cryptocurrency exchanges between 2019 and early 2024 — exceeding North Korea's entire annual foreign trade volume. ### Why doesn't the West retaliate more forcefully? North Korea deliberately operates below the retaliation threshold, ensuring attacks are damaging but not severe enough to justify military action against a nuclear-armed state. The regime is fundamentally weak and would collapse under Western intervention, which is precisely why it invests in weapons of mass destruction as deterrence. One individual in Florida was able to knock North Korea's entire internet offline, illustrating the country's own vulnerability — something Kim Jong-Un is careful to avoid provoking. ### Does North Korea hack its allies Russia and China? Yes. Despite Russia and China being its only meaningful allies, North Korea has targeted both. In 2022, RGB hackers broke into a major Russian missile manufacturer's computers and maintained access for five months. In 2023, the majority of state-sponsored cyberattacks against Russia originated from North Korea and China, and the Lazarus group was still inside various Russian systems as late as November 2023. North Korea has also stolen technical and design information on Chinese military weapons and vehicles. ## Sources - - - - - - - - - - - - - <!-- youtube:YHsyYt9NSdo -->