From Digital Kleptocracy to Rogue Crypto-Superpower
How North Korea turned cybercrime and cryptocurrency theft into a strategic arsenal—and why the US must recalibrate
North Korea has evolved from a noisy digital vandal into one of the most capable and prolific state cyber actors, responsible for some of the largest financial heists in history, including the $620 million Ronin bridge hack and a growing list of multi-hundred-million-dollar exchange breaches.
Over the last decade, North Korea-linked groups have stolen billions of dollars in cryptocurrency, including an estimated $1.7 billion in 2022 alone and roughly $1 billion more in 2023. Analysts at firms like Chainalysis and TRM Labs assess that a substantial portion of these funds supports North Korea’s nuclear and missile programs, helping Pyongyang sidestep sanctions that would otherwise constrain its weapons development.
Most of that cryptocurrency was not purchased or mined. It was stolen—lifted from exchanges, DeFi bridges, and even individual users through years of intrusions, social engineering, and supply-chain compromises. Those stolen assets now function as a shadow national treasury that sanctions cannot touch and that helps bankroll nuclear weapons, missile development, and the loyalty networks that keep the Kim regime intact.
Recently, North Korea has been buying thousands of low-end computers, according to open-source reporting on Chinese hardware exports into the DPRK. While such purchases do not establish their specific end us, training developers does not require high-end systems. Taken together with the regime’s sustained emphasis on cyber and hacking activities, this could suggest that North Korea has begun quietly expanding its hacker-training pipeline.
North Korea’s focus may now be on scalability, and leveraging Western AI tools—unintentionally but undeniably—appears to have accelerated that shift. Instead of relying exclusively on elite units, Pyongyang may be expanding the human pipeline needed to run multiple campaigns at once.
Put bluntly: North Korea has become a superpower in cyberattacks and cryptocurrency theft, while US policy is still calibrated to an earlier era. If Washington continues to treat this as a peripheral issue—something for cyber staffers and compliance officers to manage on the margins—it will keep losing ground to a regime that treats digital theft as core statecraft.
I. Origins (2000–2013): The Early Experiments
North Korea’s earliest cyber campaigns were not elegant. They were noisy, disruptive, and technically unimpressive. But they taught Pyongyang something crucial: cyber operations could punch far above their weight, harassing adversaries, testing boundaries, and generating outsized political effect without triggering conventional retaliation. Within this phase, there were two major operations.
2009 & 2011 DDoS Waves
In 2009 and 2011, large-scale DDoS (distributed denial-of-service) attacks flooded South Korean and US government websites, major banks, and media portals with junk traffic. Investigations later tied those waves to botnets of compromised machines and, eventually, to North Korean–linked infrastructure, though attribution was initially contested.
The tools were basic, the infrastructure borrowed, but the effect was national headlines and days of disruption—the lesson for Pyongyang was powerful: even commodity malware and rented infrastructure could disrupt governments and financial systems in two advanced economies at once, at minimal cost.
2013 DarkSeoul
The 2013 DarkSeoul wiper attacks against South Korean broadcasters and banks escalated things dramatically. Tens of thousands of systems were rendered unusable; ATMs went offline, and newsrooms went dark. Security firms later identified the wiping malware (“DarkSeoul” / Jokra) and traced related activity to actors targeting Korean financial institutions.
This was no longer just “website defacement at scale.” It was a destructive attack against critical economic infrastructure, executed via code rather than artillery. These early episodes seeded the concepts and infrastructure later refined under labels like Lazarus Group, APT38, and Kimsuky.
II. 2014–2017: Strategy, Coercion, and Money
From 2014 onward, North Korea’s cyber behavior shifted from nuisance harassment to strategic coercion, espionage, and financial gain. There were at least three major milestone operations in this phase.
Sony Pictures Hack (2014)
The Sony Pictures hack was the first major demonstration that a state could use cyber tools to coerce behavior in the cultural space. The FBI publicly attributed the attack to North Korea, citing malware overlaps and infrastructure links. Terabytes of data were stolen, systems were wiped, and executives faced public humiliation, all to pressure a private company over a satirical film.
KHNP Breach (2014)
Later that year, hackers breached Korea Hydro & Nuclear Power (KHNP), Korea’s largest electric power company, leaking employee data and sensitive reactor-related documents. Even without conclusive attribution, the political intent was unmistakable: to intimidate South Korea by demonstrating access to nuclear-adjacent systems.
SWIFT Heists (2015–2017)
Perhaps most consequential was North Korea’s shift into high-stakes financial crime. Through manipulated SWIFT messages and months-long reconnaissance, operators attempted to steal close to $1 billion from international banks, succeeding in several high-value heists. These operations became a template for future campaigns combining patience, precision, and financial payoff.
By 2017, cyber-enabled theft was no longer opportunistic—it was central to North Korea’s foreign revenue generation.
III. 2017–2020: The Crypto Pivot
As global crypto markets exploded, North Korea noticed something many governments missed: this was a financial ecosystem born without gatekeepers. Crypto exchanges offered liquidity, anonymity, and uneven security standards—an irresistible combination for a sanctions-bound state. Three major operations characterized this phase as well.
Exchange Raids
Poorly secured and regulated Asian exchanges, often with weak internal controls, became prime targets. North Korean operators used spearphishing, compromised updates, and abused developer accounts to gain internal access before draining hot wallets. Public attributions by blockchain-analytics firms and law enforcement repeatedly pointed to Lazarus and related DPRK entities.
FASTCash (2018–2019)
The FASTCash campaign targeted global payment-switch servers, enabling fraudulent ATM withdrawals in dozens of countries. This operation showed deep understanding of financial protocols and the ability to manipulate infrastructure well beyond cryptocurrency.
AppleJeus
At the same time, North Korea began targeting individual crypto users via AppleJeus—trojanized cryptocurrency trading apps that mimicked legitimate platforms. A joint CISA-FBI-Treasury advisory documented how DPRK actors built fake trading companies and lured victims into installing malware that exfiltrated wallet keys and credentials.
By 2020, cryptocurrency theft had become central to Pyongyang’s survival strategy—a way to generate hard currency beyond the reach of conventional sanctions.
IV. 2020–2023: Industrial-Scale Crypto Theft
In the early 2020s, North Korea evolved into an industrial-scale cyber-looting enterprise. Instead of hitting just exchanges, it attacked entire blockchain ecosystems: cross-chain bridges, DeFi protocols, and core identity providers.
Major Heists (Ronin, KuCoin, Harmony)
In 2022, the FBI attributed the $620 million Ronin bridge hack to Lazarus and APT38, calling out North Korea’s role explicitly. Ronin was not an outlier; that same year, DPRK-linked actors were estimated to have stolen around $1.7 billion in crypto across multiple attacks. These were not smash-and-grab attacks; they required months of preparation and inside knowledge of blockchain mechanics. At least two known operations characterized this phase.
JumpCloud Supply-Chain Intrusion (2023)
In 2023, North Korea-backed hackers breached JumpCloud, a US identity and device-management platform, whose clients included several crypto-focused companies. By compromising a single SaaS platform, DPRK operators gained potential access to multiple downstream victims. This reflected a strategic understanding of modern software supply chains.
Laundering Networks
Moving that much stolen crypto requires infrastructure. Investigations have shown that Lazarus-associated wallets have sent funds into accounts used by Cambodian payments company Huione Pay, and US sanctions have increasingly targeted Chinese and Russian OTC brokers and shell companies that help launder DPRK proceeds.
By 2023, global estimates suggested that North Korea-linked actors had stolen several billion dollars in crypto cumulatively, making cryptocurrency hacking a sizable share of the regime’s external revenue.
V. 2024–2025: AI-Scaled Theft, Mobile Attacks, Training Expansion—and Upbit
Artificial intelligence, remote contracting platforms, and the globalization of software development gave North Korea new leverage. The regime began scaling its operations not just through better tools, but through a growing pool of IT workers abroad. This phase is characterized by three major trends and one milestone operation.
Mobile-Focused Theft
As crypto activity moved to mobile devices, DPRK campaigns increasingly targeted mobile wallets and DeFi users. Public advisories from US and allied authorities describe tailored social-engineering attacks against employees of crypto and DeFi firms, often delivered through fake job offers and well-crafted phishing that ultimately drop malware such as TraderTraitor and AppleJeus.
These operations abuse clipboard hijacking, QR-code tampering, sideloaded APKs, and MFA-token theft—quietly siphoning value from users at scale.
Modular Malware and Offensive Ecosystems
North Korean toolchains now resemble professional offensive frameworks: modular loaders, reconnaissance plugins, credential harvesters, and cloud-focused implants, many of which are re-used across campaigns. Public reporting on North Korean cyber operations repeatedly notes increasing sophistication and reuse of malware families over time.
Training Pipeline Expansion
On the hardware side, recent reporting that a Chinese trader sold over 2,000 PCs and graphics cards to North Korea is best read as a training signal, not a gaming build-out. These are not high-end AI clusters; they are classroom-scale machines perfect for teaching coding, intrusion basics, and crypto-related development. And with its training pipeline expanding, this digital kleptocracy isn’t a passing phase—it is a long-term model.
The 2025 Upbit Breach
In November 2025, South Korea’s largest exchange, Upbit, reported unauthorized withdrawals of roughly 44.5 billion won (about $30 million) in Solana-based assets and halted deposits and withdrawals. Within days, South Korean authorities were publicly suspecting the Lazarus Group, citing similarities to Upbit’s 2019 hack.
For Pyongyang, this is business as usual: another data point in a years-long trend of large-scale, repeatable theft against high-value crypto targets.
VI. A Digital Reserve Beyond Sanctions
When you aggregate these heists, what emerges is not a random crime spree but a shadow national treasury. Open-source estimates suggest DPRK cyber units stole around $1.7 billion in 2022, roughly $1 billion in 2023, and more than $1.3 billion in 2024, with 2024 alone accounting for a majority of global crypto-hack losses.
US and UN officials now openly state that crypto theft has become a key funding source for North Korea’s weapons of mass destruction programs.
That means the regime has, in effect, built a sovereign wealth fund of stolen digital assets—a war chest that sits outside the traditional dollar system, is difficult to freeze, and can be moved at the speed of electrons.
Some analysts go further, arguing that if you convert North Korea’s known crypto theft into notional holdings, Pyongyang could rank among the largest state-level holders of Bitcoin worldwide, behind only the United States and China. This is an inference, not a provable balance-sheet fact—but even a conservative reading suggests that North Korea now wields state-scale exposure to Bitcoin and other cryptocurrencies.
VII. Strategic Implications
Taken together, North Korea’s cyber and crypto activities represent a coherent strategy built on three pillars:
- Cyber power: destructive, persistent, and relatively cheap.
- Crypto-financial power: borderless and resistant to sanctions.
- Human power: an expanding, AI-enabled workforce of covert IT workers and hackers.
The United States has been slow to internalize this. Policy conversations still default to missiles, artillery, and nuclear tests. Yet much of Pyongyang’s practical leverage and day-to-day resilience now comes from its ability to steal, launder, and weaponize digital value at scale.
VIII. What Happens if Crypto Goes Mainstream?
There is an uncomfortable horizon scenario here. In US political debates, cryptocurrencies periodically appear as potential components of a future financial architecture or as assets that could compete with the dollar’s long-term dominance.
If Bitcoin or other major cryptocurrencies gain wider reserve-asset legitimacy, North Korea’s stolen holdings become more than criminal proceeds:
- They gain liquidity and legitimacy.
- They become harder to isolate without broader systemic moves.
- They give Pyongyang a buffer against sanctions pressure.
In that world, DPRK would not just be a crypto-enabled rogue state; it would be a rogue crypto-superpower, with the ability to tap large digital reserves in a more mainstream financial ecosystem.
This is still a scenario, not a prediction. But US planners should actively war-game a future in which adversary-held crypto reserves function like shadow central-bank assets rather than just illicit loot.
IX. Policy Recommendations
Addressing this threat requires a mix of financial pressure, supply-chain protections, developer-vetting, and cross-border intelligence work. Cyber and crypto policy can no longer be treated as peripheral to North Korea strategy; they are now central to it. The following recommendations outline where the US and its allies should begin.
- Treat DPRK Crypto Theft as WMD Financing: US and allied sanctions architecture should formally treat DPRK crypto-theft proceeds as weapons of mass destruction (WMD) financing. This reclassification would unlock stronger secondary sanctions, mandatory freezes for flagged wallets, and higher compliance expectations for exchanges, custodians, and banks.
- Build a Multinational “Crypto-PSI”: The Proliferation Security Initiative (PSI) showed how states can cooperate to interdict WMD shipments at sea. A Crypto-PSI would do something similar in the digital realm: a standing coalition to share wallet intelligence, coordinate freezes, and synchronize actions against mixers, OTC brokers, and payment companies laundering DPRK funds.
- Target Laundering Networks, Not Just North Korean Wallets: Sanctions should focus on the Chinese and Russian OTC brokers, shell firms, and payment processors that launder DPRK’s crypto, as recent US actions against Huione-linked networks and North Korean bankers have started to do. Disrupting these facilitators raises costs and forces Pyongyang to rebuild its financial plumbing.
- Expand US–ROK–Japan Hunt-Forward Operations: Joint hunt-forward teams—deployed into willing partners’ networks to look for DPRK intrusions in real time—should be expanded and explicitly focused on crypto and fintech infrastructure. This would leverage existing trilateral cyber cooperation and help smaller exchanges and wallets spot DPRK activity earlier.
- Treat All DPRK IT Workers as Hostile State Assets: There is no such thing as a “good” North Korean IT worker in this context. US Treasury, FBI, and DOJ have documented schemes in which DPRK nationals, using stolen or fabricated identities, infiltrate Western companies, including crypto firms and even defense-related entities. Every DPRK developer abroad ultimately remits income to the regime and poses code-supply-chain risks. Policy should reflect that reality.
- Impose Baseline Exchange-Security Standards: Major exchanges should be regulated more like financial market infrastructure than startups. At a minimum, that means strict hot-wallet limits, hardware security module (HSM) key storage, mandatory multi-sig, rigorous internal controls, and independent security audits. DPRK’s record shows that weak internal processes—not exotic zero-days—are the usual entry point.
- Harden the Mobile Crypto Ecosystem: Because so much crypto activity is now mobile, regulators and app stores should require strong code-signing, secure build pipelines, and tamper-resistant wallet binaries, combined with runtime protections against clipboard hijacking and QR-code manipulation.
- Track DPRK’s Hacker-Training Pipeline: Bulk imports of PCs and GPUs into North Korea are not normal commerce; they are potential indicators of future operator volume. The intelligence community and sanctions bodies should treat large-scale hardware shipments—like the recent sale of more than 2,000 computers and graphics cards to DPRK—as early-warning signals and sanctionable events when they violate UN resolutions.
- Require Continuous DPRK-IT-Worker Screening for Federal Contractors: Federal contractors and subcontractors touch sensitive codebases, cloud infrastructure, and controlled-unclassified information. DOJ and FBI have already exposed schemes where DPRK IT workers infiltrated US companies, including those with defense connections, using US facilitators and fake identities. Federal acquisition rules should require continuous workforce-identity and code-integrity screening to ensure North Korean developers aren’t quietly embedded in teams over time.
- Create a Federal Screening and Advisory Hub for US Firms: Most small and mid-sized firms have no practical way to detect DPRK developers masquerading as remote contractors. Washington should stand up a centralized hub that provides:identity-verification assistance, red-flag persona and résumé indicators, optional code-integrity scans for critical repositories, and clear reporting channels for suspected DPRK IT activity. Recent IC3 and Treasury advisories already outline red flags; the missing piece is an operational service that helps companies act on them.
- Tie CMMC/FedRAMP/NIST Compliance to DPRK Vetting: Existing frameworks like CMMC, FedRAMP, and NIST 800-series controls already impose extensive cyber requirements on contractors. They should be updated to explicitly require workforce-identity verification and developer-screening processes aimed at DPRK IT workers, closing a major gap between technical security and personnel security.
- Prepare for Sovereign-Level Crypto Adoption: Finally, US financial and national-security planners need to model a world where crypto becomes more fully integrated into global reserves and payment systems. If Bitcoin or similar assets gain reserve-asset status in major economies, North Korea’s stolen crypto becomes structurally harder to isolate and more valuable as a long-term strategic asset. Policy on digital asset regulation, sanctions, and central-bank digital currencies should explicitly consider this adversary-reserve scenario
Conclusion: The First Rogue Crypto-Superpower
North Korea has built something unprecedented in international politics: a state-run digital kleptocracy that functions as a de facto sovereign wealth fund, denominated entirely on stolen crypto and shielded from traditional sanctions.
It did this not through financial innovation, but through relentless, state-sponsored theft—scaled by AI, laundered through global networks, and staffed by covert IT workers embedded across the world.
If cryptocurrencies continue to mature and integrate into the global financial system, Pyongyang’s crypto reserves will gain even more strategic weight, giving the regime resilience it has never enjoyed before.
This is no longer a side story to missiles and summits. It is the backbone of North Korea’s 21st-century power.
And until US and allied policy is recalibrated around that reality, the world’s first rogue crypto-superpower will continue to grow stronger—one breached exchange, one compromised developer account, and one “freelance” DPRK IT worker at a time.