dprk-cyber-espionage

star 7

Use when the user asks about North Korean state-sponsored cyber operations or specific DPRK actors (Lazarus, APT38, BlueNoroff, Andariel, Kimsuky, etc.), revenue-generation campaigns, IT-worker schemes, or DPRK targeting of cryptocurrency / supply chain. Self-updating knowledge cell.

Liberty91LTD By Liberty91LTD schedule Updated 5/30/2026
play_arrow Run Skill in Manus View GitHub

name: dprk-cyber-espionage description: Use when the user asks about North Korean state-sponsored cyber operations or specific DPRK actors (Lazarus, APT38, BlueNoroff, Andariel, Kimsuky, etc.), revenue-generation campaigns, IT-worker schemes, or DPRK targeting of cryptocurrency / supply chain. Self-updating knowledge cell. user-invocable: true metadata: category: knowledge-cell created: 2026-04-05 last_updated: 2026-04-05 update_count: 0 confidence: moderate

DPRK Cyber Espionage Knowledge Cell

Executive Summary

North Korea operates a uniquely structured cyber program where revenue generation and intelligence collection are equally prioritized national objectives. Under the Reconnaissance General Bureau (RGB), DPRK cyber operators have stolen an estimated $3-6 billion in cryptocurrency and financial assets since 2017, making the cyber program one of the regime's primary sources of hard currency and a critical enabler of its nuclear and ballistic missile programs. This dual-purpose model distinguishes DPRK operations from all other nation-state cyber programs, where espionage is typically the primary objective and financial operations are secondary or opportunistic.

The DPRK cyber ecosystem is organized into several distinct clusters operating under the RGB umbrella. Lazarus Group (Diamond Sleet/HIDDEN COBRA) is the most broadly capable unit, conducting both espionage operations against defense and aerospace targets and major financial theft operations. APT38/BlueNoroff specializes in financial sector targeting, including SWIFT network attacks and cryptocurrency platform compromise. Kimsuky (Emerald Sleet) focuses on espionage targeting South Korean government, research institutions, think tanks, and North Korea policy experts. Andariel (Onyx Sleet) conducts espionage against defense and nuclear technology targets, with secondary ransomware operations. These groups share tooling, infrastructure, and techniques while maintaining distinct operational mandates.

The period from 2022-2025 has been defined by three major trends: an explosive escalation in cryptocurrency theft (including the $625 million Ronin Network hack and the $1.5 billion Bybit exchange compromise), the expansion of the IT worker fraudulent employment scheme generating an estimated $250-600 million annually, and increasingly sophisticated supply chain attacks exemplified by the 3CX compromise. DPRK operators have demonstrated remarkable adaptability, pivoting quickly to target emerging DeFi protocols, cryptocurrency bridges, and Web3 infrastructure while maintaining persistent espionage campaigns against defense industrial base and nuclear technology targets aligned with regime weapons program priorities.

Key Actors

Threat Actor Aliases Attribution Primary Targets Status
Lazarus Group Diamond Sleet, HIDDEN COBRA, Zinc, Labyrinth Chollima RGB 3rd Bureau Defense, aerospace, cryptocurrency, banks Active
APT38/BlueNoroff Sapphire Sleet, Stardust Chollima, Nickel Academy RGB SWIFT/banking, cryptocurrency exchanges, DeFi Active
Kimsuky Emerald Sleet, Velvet Chollima, Thallium, Black Banshee RGB 5th Bureau South Korean government, think tanks, academics, NK policy experts Active
Andariel Onyx Sleet, Silent Chollima, Plutonium, DarkSeoul RGB 3rd Bureau Defense, nuclear, aerospace, healthcare (ransomware) Active
TraderTraitor Jade Sleet, UNC4899 RGB-linked Cryptocurrency developers, blockchain companies Active
Citrine Sleet DEV-0139 RGB-linked Cryptocurrency traders, financial technology Active
APT43 Kimsuky sub-cluster, Springtail RGB Crypto, South Korean policy targets Active
ScarCruft Reaper, Ricochet Chollima, InkySquid, APT37 MSS (State Security) South Korean government, defectors, journalists, human rights Active

Active Campaigns

Cryptocurrency Exchange and DeFi Platform Theft (2023-Present)

DPRK-linked operators have dramatically escalated cryptocurrency theft operations, with estimated annual proceeds exceeding $1.5 billion. The February 2025 Bybit exchange hack alone netted approximately $1.5 billion, representing the single largest cryptocurrency theft in history. Operators exploit vulnerabilities in smart contracts, compromise developer credentials via social engineering, and target cryptocurrency bridge protocols. The TraderTraitor cluster specifically targets blockchain developers through fake job offers containing trojanized Node.js projects and cryptocurrency trading applications. Stolen funds are laundered through chain-hopping, Tornado Cash and other mixers, peer-to-peer exchanges, and a network of complicit OTC brokers, primarily in China. The UN Panel of Experts has documented these operations funding DPRK weapons of mass destruction programs.

IT Worker Fraudulent Employment Scheme (2022-Present)

Thousands of DPRK IT workers operate under false identities to secure remote employment contracts at technology companies globally, primarily in the United States, Europe, and Japan. Workers use stolen or synthetic identities, U.S.-based laptop farms (managed by facilitators who receive company-issued laptops on behalf of the remote workers), and AI-assisted video interview tools to appear as legitimate contractors. These workers generate an estimated $250-600 million annually in salary revenue for the regime. Beyond revenue, the access provides intelligence collection opportunities and potential for insider-enabled cyberattacks. The DOJ has indicted multiple facilitators and the FBI has issued repeated advisories. Companies impacted include Fortune 500 firms and well-funded startups across the software development, cryptocurrency, and technology sectors.

Lazarus Defense and Nuclear Espionage (2023-Present)

Lazarus Group and Andariel continue persistent espionage campaigns against defense contractors, aerospace companies, and nuclear technology organizations in the U.S., South Korea, Japan, Europe, and India. Initial access is frequently achieved through fabricated recruiter personas on LinkedIn offering fake job opportunities at prestigious defense companies. Targets receive weaponized job descriptions or skills assessments containing custom backdoors. The group also exploits known vulnerabilities in enterprise software (Zoho ManageEngine, JetBrains TeamCity, Atlassian Confluence) for initial access. Collected intelligence directly supports DPRK ballistic missile, nuclear weapons, submarine, and drone development programs.

Historical Campaigns

3CX Supply Chain Attack (2023)

In March 2023, Lazarus Group compromised the software build pipeline of 3CX, a widely used enterprise VoIP/PBX provider with approximately 600,000 customer organizations and 12 million daily users. The attack was notable as a cascading supply chain compromise: Lazarus first compromised Trading Technologies, a financial trading software company, and used that access to target a 3CX employee via a trojanized X_TRADER application. The compromised 3CX desktop application distributed the TAXHAUL/SIMPLESEA backdoor. This represented the first publicly documented instance of one supply chain attack enabling another, demonstrating the increasing sophistication of DPRK software supply chain operations.

Bangladesh Bank SWIFT Heist (2016)

APT38 attempted to steal $951 million from the Bangladesh Bank's account at the Federal Reserve Bank of New York by injecting fraudulent SWIFT transfer messages. A spelling error in one transfer request ("fandation" instead of "foundation") triggered scrutiny that limited actual losses to $81 million, which was routed through Philippine casinos. The operation demonstrated DPRK's willingness and ability to target the global financial infrastructure. The attack involved months of reconnaissance, custom SWIFT manipulation malware (NESTEGG, DYEPACK), and knowledge of bank clearing processes. It spurred a global overhaul of SWIFT security controls.

Ronin Network/Axie Infinity Hack (2022)

In March 2022, Lazarus Group stole approximately $625 million in Ethereum and USDC from the Ronin Network, a blockchain bridge supporting the Axie Infinity game. The attack exploited compromised private keys of validator nodes, obtained through a social engineering campaign involving a fake job offer sent to a senior Sky Mavis engineer via LinkedIn. The operation demonstrated the convergence of social engineering sophistication with deep understanding of blockchain architecture and DeFi protocols. The FBI attributed the theft to Lazarus Group and Treasury's OFAC sanctioned the associated wallet addresses.

TTP Evolution

DPRK cyber operations have undergone significant evolution:

  • Cryptocurrency Specialization: From traditional banking (SWIFT) to comprehensive cryptocurrency targeting including exchanges, DeFi protocols, bridges, hot wallets, and individual high-value holders. Operators demonstrate deep understanding of blockchain technology and smart contract vulnerabilities.
  • Social Engineering via Professional Networks: LinkedIn-based fake recruiter campaigns have become the primary initial access vector for both espionage and financial operations. The fake job offer lure is remarkably effective and consistently refined.
  • Supply Chain Attacks: Progression from direct targeting to sophisticated supply chain compromises (3CX), including cascading supply chain attacks that chain multiple compromises.
  • macOS Targeting: Increasing development of macOS-specific malware and payloads, reflecting the prevalence of macOS in cryptocurrency developer and technology company environments.
  • AI-Assisted Operations: Use of AI tools for generating realistic personas, conducting video interviews (IT worker scheme), writing code, and potentially automating aspects of cryptocurrency laundering.
  • Insider Threat Model: The IT worker scheme represents a fundamentally different threat model -- obtaining legitimate authorized access rather than exploiting vulnerabilities.
  • Living-off-the-Land: Growing use of native operating system tools and legitimate software for post-exploitation, supplementing custom tooling.
  • Rapid Laundering: Development of increasingly sophisticated and rapid cryptocurrency laundering pipelines to convert stolen assets before they can be frozen.

Infrastructure Patterns

  • VPN services and commercial proxy networks for operator anonymity
  • Compromised web servers (particularly WordPress and small business websites) for C2 staging
  • GitHub, GitLab, and other code repositories for malware delivery via fake projects
  • NPM/PyPI package poisoning for supply chain delivery
  • Cloud hosting services (AWS, Azure, DigitalOcean) for infrastructure that blends with legitimate traffic
  • Domain registration patterns using cryptocurrency-themed or recruitment-themed domains
  • Use of legitimate communication platforms (Telegram, Slack, Discord) for C2
  • Extensive network of cryptocurrency wallets, mixers, and chain-hopping infrastructure for money laundering
  • U.S.-based laptop farms (residential addresses) for IT worker scheme
  • VoIP numbers and virtual phone services for synthetic identity support

Tooling

Tool Type Associated Actors Notes
AppleJeus Cryptocurrency trojan Lazarus, BlueNoroff Trojanized crypto trading apps targeting macOS and Windows
HOPLIGHT Backdoor Lazarus Custom tunneling tool for proxy communications
BLINDINGCAN/DTrack RAT Lazarus, Andariel Full-featured RAT with keylogging, screen capture, file exfiltration
TAXHAUL/SIMPLESEA Loader/backdoor Lazarus Deployed via 3CX supply chain compromise
BeaverTail Infostealer TraderTraitor JavaScript-based stealer targeting crypto wallets and browser credentials
InvisibleFerret Backdoor TraderTraitor Python-based backdoor deployed alongside BeaverTail
FastCash ATM malware APT38 Intercepts ISO 8583 transactions to authorize fraudulent cash withdrawals
ELECTRICFISH Tunneling Lazarus Custom tunneling/proxy tool for maintaining covert communications
KANDYKORN macOS backdoor BlueNoroff Full-featured macOS RAT targeting crypto developers
RandomQuery/FlowerPower Reconnaissance Kimsuky Information collection tools deployed via spear-phishing

Intelligence Gaps

  • Full IT worker infiltration scope: The true number of DPRK IT workers employed at Western companies and the extent of their intelligence access is unknown. Detected cases are likely a fraction of the total.
  • Cryptocurrency laundering networks: The complete infrastructure of OTC brokers, facilitators, and conversion mechanisms used to launder billions in stolen cryptocurrency is only partially mapped.
  • Revenue allocation: How stolen funds flow from RGB cyber units to weapons programs, regime leadership, and operational reinvestment is poorly characterized.
  • Training pipeline: Where and how DPRK cyber operators are trained (domestically, in China, in Russia), the size of the workforce, and the specialization pipeline is opaque.
  • Chinese facilitation: The extent of Chinese individuals and entities facilitating DPRK cyber operations (infrastructure, laundering, identity documents) requires further investigation.
  • Zero-day capability: Whether DPRK groups develop zero-day exploits internally or acquire them from brokers or allied states is unclear. Their reliance on social engineering and N-day exploitation may mask developing capabilities.
  • AI tool adoption: The degree to which DPRK operators leverage LLMs and AI tools for code generation, social engineering content, and operational planning is emerging.

Live enrichment

When CrowdStrike Falcon Intelligence credentials are configured ($CROWDSTRIKE_CLIENT_ID), pull live vendor intelligence to keep this cell current and to answer specific actor questions:

  • Actor profile/lookup-crowdstrike actor "Lazarus" / actor "Labyrinth Chollima" (origins, target countries/industries, motivations, capability, aliases)
  • TTPs/lookup-crowdstrike ttps "Lazarus" → ATT&CK technique IDs; resolve against /mitre-attack
  • Latest reporting/lookup-crowdstrike reports --actor "Stardust Chollima" --latest
  • Actor population/lookup-crowdstrike actors --origin north-korea to enumerate DPRK-attributed adversaries CrowdStrike tracks (CrowdStrike uses the "Chollima" cryptonym for DPRK state-nexus actors)

Route through /threat-actor-profiling for a full structured profile. CrowdStrike report bodies are typically TLP:AMBER+ — cite report IDs internally, do not redistribute.

Sources & References

  1. FBI/CISA/Treasury Joint Advisory: "TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies" (April 2022)
  2. Mandiant: "APT43: North Korea's Kimsuky Stealthy Crypto Moderately Sophisticated" (March 2023)
  3. CrowdStrike: "LABYRINTH CHOLLIMA's 3CX Supply Chain Operation" (April 2023)
  4. Chainalysis: "2024 Crypto Crime Report: North Korea-Linked Cryptocurrency Theft" (2024)
  5. Microsoft Threat Intelligence: "Diamond Sleet supply chain compromise distributes a modified CyberLink installer" (November 2023)
  6. UN Panel of Experts Report S/2024/215: DPRK sanctions implementation findings on cyber-enabled theft
  7. FBI Public Service Announcement: "North Korean IT Workers Infiltrate U.S. Companies" (October 2023)
  8. Google TAG/Mandiant: "A Cascade of Compromises: Unveiling Lazarus' New Campaign" (3CX analysis, 2023)

Change Log

Date Change Source
2026-04-05 Initial cell creation; seeded with training knowledge through early 2025 Training data
Install via CLI
npx skills add https://github.com/Liberty91LTD/cti-skills --skill dprk-cyber-espionage
Repository Details
star Stars 7
call_split Forks 4
navigation Branch main
article Path SKILL.md
More from Creator
Liberty91LTD
Liberty91LTD Explore all skills →