North Korea’s cyber program is unlike any other nation-state operation in the CRS record. Where China steals intellectual property to fuel industrial development and Russia uses cyberspace for political warfare, Pyongyang uses its hacking apparatus as a revenue-generation mechanism for a sanctions-constrained state. The Reconnaissance General Bureau’s APT-38 is the primary attributed unit, and its mandate is to fund the regime — through bank fraud, cryptocurrency theft, ransomware proceeds, and employment fraud — rather than to collect intelligence in the traditional sense.
APT-38: Financial Warfare
The DOJ indictment of three North Korean military hackers in February 2021 covers the broadest documented span of APT-38 activity: from 2014 through 2020, the unit destroyed computers at Sony Pictures Entertainment over the release of The Interview, compromised the SWIFT interbank network to steal money from banks globally, created and deployed the WannaCry 2.0 ransomware (which caused billions in global damage), developed malicious cryptocurrency wallets, stole cryptocurrencies from exchanges, and ran spear-phishing campaigns against U.S. defense contractors, energy companies, aerospace firms, technology companies, the State Department, and the Department of Defense. The breadth of that single indictment illustrates the operational tempo that a focused, well-resourced cyber unit can sustain.
A later campaign, documented by CISA in April 2022 under the TraderTraitor designation, focused specifically on blockchain companies. RGB-linked actors targeted cryptocurrency exchanges, DeFi protocols, and NFT platforms from 2020 through 2023, stealing assets that were then laundered to fund state programs. The United Nations has estimated that North Korean hackers stole hundreds of millions of dollars in cryptocurrency annually during this period.
Healthcare Ransomware
A separate undisclosed DPRK unit ran ransomware attacks against healthcare organizations from 2022 through 2023, documented in a CISA advisory issued in February 2023. The advisory explicitly noted that ransomware proceeds from healthcare sector victims fund DPRK’s malicious cyber activities more broadly — a closed loop in which criminal operations against American hospitals finance the intelligence and weapons programs that generate further threats. North Korean actors also deployed Maui ransomware against healthcare and public health companies from 2021 through 2022, with a separate CISA advisory in July 2022 providing technical indicators.
IT Worker Fraud
Perhaps the most operationally creative campaign in the record is the IT worker scheme, active from 2021 through 2023. North Korean operatives deceived technology companies into hiring DPRK workers for remote positions under false identities. The workers generated legitimate income from Western employers that was remitted to the state. DOJ disrupted the operation in October 2023, but the technique — using legitimate employment as a covert revenue channel — represents a category of threat that technical security controls alone cannot address. A separate Treasury action in November 2023 sanctioned DPRK intelligence agents and an intrusion group used in spear-phishing collection operations running from 2021 through 2023.
North Korea’s cyber program is best understood as an economic instrument with intelligence and destructive capabilities as secondary functions. Sanctions have not constrained it; they are the reason it exists in its current form. Any organization in the financial services, cryptocurrency, or healthcare sectors should treat DPRK as an active threat regardless of whether they have any visible geopolitical exposure to the Korean Peninsula.