2024: A jackpot year for North Korea’s cyber criminals
CRIME IS PRIMITIVE ACCUMULATION OF CAPITAL
With North Korean workers, particularly IT professionals, increasingly relocating to Russia, cyber operations are expected to escalate
By Abhishek Sharma
-January 2, 2025
DAILY NK
The dawn of 2025 offers a crucial moment to reflect on how 2024 proved remarkably advantageous for North Korea. The ongoing Russia-Ukraine conflict has emerged as an unexpected economic lifeline for Pyongyang, while simultaneously drawing the regime out of its diplomatic isolation. North Korea’s cyber operations throughout 2024 have also yielded significant gains for the regime, which continues to view its cyber capabilities as a vital strategic asset.
The Chainalysis 2025 Crypto Crime Report reveals that 2024 marked an exceptional year for North Korean cyber heists. The regime’s hackers managed to steal $1.34 billion through 47 separate incidents – a staggering 103% increase from 2023’s $660.50 million across 20 incidents. This dramatic surge has raised serious concerns among the United States, South Korea, and Japan, particularly since an estimated 40% of these illicit funds directly support North Korea’s strategic military programs.
The findings are troubling for three key reasons. First, they demonstrate that the decline following 2022 was merely temporary, not a lasting trend. As shown in Figure 1, North Korean hackers have reached the billion-dollar threshold twice – in both 2022 and 2024. Second, this increased funding could fuel North Korea’s expanding military ambitions, including its submarine development, space program, and drone initiatives. Third, and perhaps most significantly, North Korea’s share of global cyber theft has reached an unprecedented 60% of total stolen funds.
(Figure 1) North Korean Cyber Theft: A Growing Trend
Data: https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/
Two significant trends have emerged in North Korea’s cyber operations beyond just the total amount stolen. First, the regime increasingly targets high-value exploits in the $50-100 million and $100+ million categories, demonstrating growing sophistication in its operations. This shift towards larger heists suggests that North Korean hackers are becoming more efficient and skilled – a development that has raised alarms among cybersecurity agencies.
Second, the integration of AI into hacking operations has added a new dimension of concern. These advanced cyber operations are closely tied to North Korea’s IT workforce, whose role has become increasingly central to the regime’s broader cyber strategy.
Digital soldiers: How N. Korea’s tech warriors operate globally
North Korea’s cyber operations rely heavily on its extensive network of IT workers, who serve as crucial links between the regime and the outside world. These operatives can reportedly earn up to $300,000 annually. While many operations are conducted from relative safe havens in China and Russia, which offer geographic proximity and lenient regulations, domestic North Korean organizations continue to play a significant role.
These IT professionals operate through domestic companies and entities that facilitate malicious cyber operations to generate revenue for the regime. One notable example is the Jinyong IT Operation Company, a regime-affiliated entity that helps channel funds back to North Korea.
Two significant trends have emerged in North Korea’s cyber operations beyond just the total amount stolen. First, the regime increasingly targets high-value exploits in the $50-100 million and $100+ million categories, demonstrating growing sophistication in its operations. This shift towards larger heists suggests that North Korean hackers are becoming more efficient and skilled – a development that has raised alarms among cybersecurity agencies.
Second, the integration of AI into hacking operations has added a new dimension of concern. These advanced cyber operations are closely tied to North Korea’s IT workforce, whose role has become increasingly central to the regime’s broader cyber strategy.
Digital soldiers: How N. Korea’s tech warriors operate globally
North Korea’s cyber operations rely heavily on its extensive network of IT workers, who serve as crucial links between the regime and the outside world. These operatives can reportedly earn up to $300,000 annually. While many operations are conducted from relative safe havens in China and Russia, which offer geographic proximity and lenient regulations, domestic North Korean organizations continue to play a significant role.
These IT professionals operate through domestic companies and entities that facilitate malicious cyber operations to generate revenue for the regime. One notable example is the Jinyong IT Operation Company, a regime-affiliated entity that helps channel funds back to North Korea.
Operating from overseas, these IT workers employ various fraudulent schemes targeting countries like the U.S. Their tactics include creating fake job applications and infiltrating companies as IT professionals to steal money or extract sensitive data. In some documented cases, DPRK operatives have collaborated with foreign nationals to establish “laptop farms” for conducting mass targeting operations against foreign citizens.
Countering the North’s increasing cyber threat
In late 2024, South Korea and its allies intensified their response to North Korea’s cyber threats through targeted sanctions and enhanced cyber deterrence measures. The United States imposed sanctions on nine individuals and seven entities in December 2024, including Ri Chang Ho, head of the Reconnaissance General Bureau (RGB), which orchestrates cyber heists. Shortly after, on Dec. 26, South Korea issued its own sanctions targeting 15 North Korean IT professionals and an entity involved in money laundering.
These actions built upon previous sanctions from both nations. In May 2023, the U.S. Treasury Department targeted key institutions including the Pyongyang University of Automation, Technical Reconnaissance Bureau, and 110th Research Centre – all crucial to North Korea’s IT operations. South Korea and the U.S., along with Japan, have also sanctioned prominent North Korean cyber groups like Lazarus and Kimsuky, demonstrating their growing trilateral coordination.
Beyond sanctions, the U.S. and South Korea have strengthened their bilateral cooperation, while also engaging Japan in trilateral efforts to counter North Korean sanctions evasion through IT workers. These partnerships focus on enhancing public-private collaboration, law enforcement coordination, and intelligence sharing. Following Russia’s veto of the DPRK Panel of Experts in March, this cooperation has intensified, leading to the creation of the Multilateral Sanction Monitoring Team – an eleven-nation initiative to track and report sanctions violations.
With North Korean workers, particularly IT professionals, increasingly relocating to Russia, cyber operations are expected to escalate, potentially generating more revenue for the regime. This trend, combined with the growing cyber activities of Russia, China, and Iran targeting the US and its allies, suggests possible future coordination among these nations in the cyber domain. This evolving landscape requires continued vigilance from South Korea and its partners to ensure the effectiveness of both existing and new sanctions monitoring mechanis
Abhishek Sharma is a PhD Scholar in Korean Studies at Delhi University where his doctoral thesis examines the Strategic Utility of North Korean cyber capabilities. He is also a Research Assistant at the Observer Research Foundation, based in Delhi, India. His research interests focus on the intersection of geopolitics and cyber capabilities, cybercrimes, and AI in the Indo-Pacific region. He can be reached at gr.abhi96(at)gmail.com.
No comments:
Post a Comment