Recently, North Korean hackers have been in the news more and more often. Their latest high-profile media appearance is the largest hack in history, when criminals managed to steal $1.5 billion worth of digital assets from the Bybit cryptocurrency exchange. Next OKX exchange could become a victimHowever, the company’s team noticed potential vulnerabilities in time. Within a month, the funds stolen from Bybit were laundered and transferred into bitcoins, which has made North Korea the third country in the world by the amount of BTC. Why does the DPRK need so much money? Usually, the money is used to maintain the dictatorship and support the nuclear program. This is nothing new. But another thing is interesting: how did the North Korean authorities manage to find and train such talented hackers? Where does it get high-tech equipment if it is under sanctions from most countries? Let’s try to figure it out.
The great, dashing and powerful Lazarus Group
Only the lazy have never heard of the North Korean Lazarus Group. These are the hackers behind the biggest thefts. In total, in 2024, hackers from the DPRK stole about $800 million worth of cryptocurrency. The DPRK was responsible for 35% of all stolen digital assets in 2024, and its attacks were almost five times larger than those of its colleagues.
Analysts noted that the Lazarus Group’s methods often include sophisticated social engineering, phishing campaigns, and exploitation of software vulnerabilities.
In the case of Bybit’s assets, the speed of money laundering was striking: within 48 hours, at least $160 million was withdrawn by illegal means. This involved multiple intermediary wallets, conversion to various cryptocurrencies, decentralized exchanges, and interconnecting bridges to cover their tracks.
Such rapid money laundering suggests that North Korea has either expanded its infrastructure or clandestine financial networks, especially in China, or increased its ability to absorb and process stolen funds.
Typically, North Korean cybercriminals have relied on mixers such as Tornado Cashto conceal the origin of the stolen funds before converting them to fiat. However, in the case of Bybit, the attackers employed a multi-faceted strategy using multiple intermediary wallets, decentralized exchanges, and interchain bridges to quickly conceal the source of the funds.
Initially, some of the stolen Ethereum coins passed through the Binance Smart Chain and Solana networks. Another part was converted into BTC. Currently, most of the converted bitcoins remain untouched. This means that hackers are preparing for a large-scale liquidation or further concealment through over-the-counter (OTC) networks.
According to TRM’s North Korea expert and former FBI specialist Nick Carlsen, «The Bybit exploit indicates that the regime is enhancing the technique of «flooding the zone» — overwhelming compliance teams, blockchain analysts, and law enforcement with fast, high-frequency transactions across multiple platforms, making it difficult to track».
For decades, North Korea has operated as a pariah state due to international sanctions imposed over its nuclear program, human rights abuses, and illicit financial activities. Pyongyang has been forced to develop a complex global network of illicit revenue sources. Long before focusing on cryptocurrency theft, the DPRK was engaged in counterfeiting US dollars and was involved in smuggling counterfeit cigarettes, drug trafficking, and arms sales.
The breach of the Bangladesh Bank in 2016, when North Korean hackers penetrated the SWIFT banking network, was a turning point. They managed to withdraw only $81 million out of the planned $1 billion. This was the first known case of a state committing a financial crime using cyber technologies on such a large scale. Subsequently, North Korea’s cyber activities shifted to the digital asset ecosystem. In a few years, the DPRK gained the status of the most active financial cybercriminal in the world.
WazirX (2024)
Hackers from North Korea steal $235 from India’s largest cryptocurrency exchange WazirX.
DMM Bitcoin (2024)
They also withdrew $305 million in bitcoins from the Japanese exchange DMM Bitcoin.
Where do North Korea’s talented hackers come from?
The first computer science schools appeared in the DPRK in the 1980s. The Gulf War helped the regime understand the importance of Internet technologies in modern warfare. Gifted mathematics students were sent to specialized schools and exempted from mandatory annual agricultural work, said The Economist Tae Yong Ho, a senior North Korean diplomat who fled to the West in 2016.
Initially, North Korea needed cyber forces for espionage and sabotage, but in the mid-2010s they focused on cybercrime. Kim Jong-un is rumored to have called cyberwarfare a «universal sword».
Despite its poverty, the DPRK has several advantages. One of them is talent. Ordinary citizens’ access to the Internet or computers is severely limited.
«North Korea can gather the best brains and tell them what to do. They don’t have to worry about employees going to work for Samsung»,” explained Kim Seung-ju from the Cyber Security Department of Korea University in Seoul.
The North Korean hackers are working around the clock and are bold because they don’t give a damn about secrecy and diplomatic consequences.
The process of finding talent and training them is reminiscent of the way Olympians were trained in the former USSR, writes The New Yorker. Unlike traditional warfare, which requires expensive and sophisticated weapons development, a hacking program requires only one resource: smart people. And North Korea «has no shortage of human capital». The most promising students are encouraged to use computers in schools. Those who are successful in math get into specialized schools. Top students travel abroad to compete in competitions such as the International Mathematical Olympiad (IMO).
Many Fields Medal winners — the most prestigious math award for teenagers — have placed highly in these competitions. North Korean participants often demonstrate impressive results at IMO. By the way, the DPRK was the only country to be disqualified due to suspected cheating: the North Korean team was expelled from the competition twice — in 1991 and 2010.
At the 2019 IMO, held in Bath, England, Kook Sung-hyun completed the first five of the six tasks perfectly and tied for first place with students from China, South Korea, Poland, and the United States until he received a low score for the final task.
Two universities in Pyongyang — Kim Jong-un University of Technology and Kim Il Sung University — attract the most talented teenagers from specialized math and computer schools where they are taught modern programming methods. These institutions often outperform American and Chinese universities at the International Collegiate Programming Contest (ICPC).
At the 2019 International Collegiate Programming Contest, a team from a North Korean university took eighth place, ahead of teams from Cambridge, Harvard, Oxford, and Stanford.
The DPRK’s cyber structure. Photo: Mandiant
Costin-Andrei Oncescu, who represented the University of Oxford at ICPC 2019, said that such competitions are becoming a platform for recruiting leading technology companies. For example, Huawei was a sponsor of the 2019 final. Many participants have achieved significant success in programming.
According to various estimates, about 7,000 people are involved in the country’s cyber program. The staff is divided between the General Staff of the Army, which supports military operations, and the Main Intelligence Bureau.
According to researchers at Korea University, one of the G.R.B.’s units, known as «Unit 180», is responsible for «conducting cyberattacks to steal foreign money outside North Korea». The best known unit of North Korean hackers is — the Lazarus Group, although this unit may include or be partially replaced by other groups known to Western law enforcement and intelligence agencies as BeagleBoyz, Hidden Cobra, and APT38 (short for Advanced Persistent Threat — «Advanced Persistent Threat»).
There is no exact data on the number of employees in each group or their thefts.
Here’s something else interesting: Where exactly do North Korean hackers work? A Harvard researcher tracked the metadata of Internet users from North Korea during 2017-2020. She found that only a few hundred IP addresses could be used. Based on this and other data, she concluded that most North Korean programmers work outside the DPRK — in China and some parts of Southeast Asia. But the best specialists remain in Pyongyang or return there to fulfill the most important tasks of the government.
The best hackers in the DPRK who participate in the most lucrative schemes are rewarded with cars, comfortable housing, or other material benefits known as «Kim Jong-un’s Special Gifts». This is something that is not available to other citizens.
John Demers of the U.S. Department of Justice suspects that China is helping North Korea with cyberattacks because «does not want the DPRK to fail». He also noted that «North Korea is connected to the world mainly through Russian and Chinese infrastructure».
«There are good reasons to believe that Russia and China are well aware of what is happening and have even actively facilitated some of the operations».
Both Some legal and illegal trade continues across North Korea’s borders with Russia and China, which have historically been allies. According to the U.S. Cybersecurity and Infrastructure Security Agency, no financial institutions in Russia or China have been attacked by North Korean hackers.
North Korean hackers, in particular the Lazarus Group, continue to steal billions in cryptocurrency. Thanks to talented programmers educated in special schools and already established digital money laundering methods, the DPRK is financing its dictatorship and nuclear program bypassing sanctions. Not without the help of its neighbors.
