Skip to content
North Korea, cryptocurrency, cyber crime

How to Follow North Korean Hackers

There are several ways the US can counter North Korean cybercrime motivated by cryptocurrency.

Words: Jason Bartlett
Pictures: Andrea De Santis

While the open and public nature of blockchain technology allows for more visibility into online transactions compared to traditional financial institutions, like banks, cryptocurrency exchanges often lack rigorous know-your-customer (KYC) and anti-money laundering protocols that are crucial in curbing cyber-enabled financial crime. North Korean hackers are a prime example of how bad actors can exploit these vulnerabilities to finance illicit activity, such as nuclear weapons development.

As outlined in a new report released by the Center for a New American Security (CNAS), Pyongyang continues to enjoy high overall success in infiltrating cryptocurrency exchanges in order to steal, launder, and liquidate funds for its nuclear weapons programs. The report also provides a snapshot of key policy oversights within the regulatory environment in the crypto space of central stakeholders and countries, such as China, the US, and South Korea, as well as a prospective look into the future of North Korea-led crypto hacks. How can the US strengthen its cyber resilience against these efforts?


The main impetus for this report was linked to common misconceptions surrounding the cyber threat emanating from Pyongyang. North Korea’s lack of access to modern computer hardware within its borders is not related to its ability to successfully execute cyberattacks, intrusions, and other unwanted cyber activity, because these often rely on software, not hardware — a tool that North Korean hackers have become very skilled at developing, trading, and using. While Beijing and Moscow captivate the attention of most democratic governments concerned about pending cyber intrusions, Pyongyang continues to defy miscalculated expectations by successfully employing myriad sophisticated cyberattacks that target new and developing financial technology. As such, North Korea will likely continue to adapt its cybercrime tactics targeting cryptocurrency to circumvent obstacles presented by economic sanctions on more traditional forms of financial activity and commerce.

Sanctioning telecommunication companies that facilitate cybercrime can reduce Pyongyang’s hacking capabilities and discourage other telecommunications companies from engaging with North Korean cybercriminals.

The report analyzed three major North Korea-led hacks of cryptocurrency exchanges to gauge the evolution of the country’s hacking ability, as well as new targets for future cyber-enabled financial crime campaigns. These hacks revealed that Pyongyang invested most of its resources into executing the initial hack, as opposed to perfecting the laundering process of stolen cryptocurrency. Once successfully gaining access to the networks of targeted cryptocurrency exchanges, North Korean operatives worked quickly to steal as much crypto as possible. However, they refrained from allocating the same level of resources into long-term obfuscation techniques, signaling a low-level concern over eventual attribution and legal recourse from their actions. 

Typically, most cybercriminals try to remain hidden for as long as possible, but North Korean hackers prefer to use enough resources to conceal their activity just long enough to stay under the radar while laundering stolen funds. Due to years of heavy economic sanctions, virtually all of North Korea is cut off from the US financial system, including the US dollar, meaning that hackers rely on foreign nationals to help launder and liquidate stolen crypto into hard currency for them. For example, Pyongyang relied on two Chinese nationals to help launder over $100 million worth of cryptocurrency stolen during one of the hacks analyzed for this report. To date, there has only been one case of a North Korean national being extradited to the US on money laundering charges, an extraordinarily rare feat that spanned years of coordination between the US government and foreign authorities.

Another important takeaway from this report is that the rate by which cryptocurrency and blockchain technology evolves continues to far outpace the rate by which national governments and international institutions are able to regulate and understand it. This is a major vulnerability that North Korean hackers continue to exploit. Several UN Panel of Expert reports on North Korea have stated that the funds acquired from these hacks most likely contribute to its nuclear weapons development programs. This further elevates the conversation around how North Korea targeting financial institutions holds similar levels of danger as other state actors targeting government agencies. If we’ve learned anything from years of dealing with ransomware and the devastating Colonial Pipeline hack, it’s that economic security is national security.


There are several actions that the US government can take to strengthen its resilience against rising North Korean cybercrime and contribute to international norms surrounding cybersecurity. President Joe Biden recently signed a new executive order to address digital currencies; a major step for Washington, but there is still much left to be done. In terms of domestic policy, the executive branch should designate specific research on state-sponsored cybercrime groups, such as North Korea’s Lazarus Group, within the newly created National Cryptocurrency Enforcement Team. Additionally, Congress can adopt legislation that requires all cryptocurrency exchanges to report cyber incidents that could involve the financial and/or personal information of US citizens and/or entities to relevant US government agencies, such as the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). This can also help push cryptocurrency exchanges to adopt better KYC protocols, as they will need to have records identifying the nationality of crypto users.

For foreign policymakers, the US should include specific joint research and investigative initiatives on cryptocurrency-related illicit cyber activity within its proposed cyber-working group with South Korea. The proposed joint initiative is set to focus on countering the spread of ransomware and the online exploitation of women, but it failed to include any mention of cryptocurrency — a main financer for both forms of illicit cyberactivity. This subject loophole should be addressed to maximize joint efforts between Washington and Seoul to enhance cooperation on these issues. And lastly, the US Department of the Treasury should expand sanctions designations to any individual or entity supporting and/or facilitating North Korean cybercrime, including foreign over-the-counter (OTC) brokers and telecommunications companies that provide to North Korea technical services, know-how, and equipment that its hackers use to conduct malicious cyber operations.

Sanctioning telecommunication companies that facilitate cybercrime can reduce Pyongyang’s hacking capabilities and discourage other telecommunications companies from engaging with North Korean cybercriminals. North Korean hackers have likely used Chinese and Russian internet lines to conduct a wide range of cyber intrusions. In terms of potential humanitarian impacts, only certain North Korean government officials and members of the elite class are legally allowed to access the internet. Ordinary North Koreans can only access the country’s intranet, known as the Kwangmyong (광명망), meaning that the sanctioning of telecommunications companies that offer connections to the internet for hackers will not impact the daily lives of the average population. 

Pending a proper investigation, the Department of Treasury can issue these designations using several existing sanctions programs that include cyber-specific language related to protecting national security: DPRK3, CYBER2, and CAATSA. Created under Executive Order 13722 and 13757, respectively, DPRK3 and CYBER2 permit designations related to conducting and/or facilitating illicit cyber activity. The Treasury used both programs to target the two aforementioned Chinese nationals who offered OTC services to the Lazarus Group. CAATSA, or the Countering America’s Adversaries Through Sanctions Act, allows the Treasury to impose sanctions against any individual or entity that “directly or indirectly, engaged in, facilitated, or was responsible for the online commercial activities of the Government of North Korea.”

While Washington tasks its intelligence and defense agencies with a wide range of various security issues, Pyongyang has a much narrow focus: Support the Kim regime at all costs through information and economic espionage. Until Washington and its allies adopt stricter cybersecurity protocols to combat financial crime, Pyongyang will continue to pour more resources into stealing cryptocurrency to help finance other illicit activities linked to its nuclear weapons development programs.

Jason Bartlett is a Research Assistant for the Energy, Economics, and Security Program at the Center for a New American Security (CNAS) and leads research and writing for the program’s Sanctions by the Numbers series. His full report entitled “Following the Crypto: Using Blockchain Analysis to Assess the Strengths and Vulnerabilities of North Korean Hackers” can be found here.

Jason Bartlett

Hey there!

You made it to the bottom of the page! That means you must like what we do. In that case, can we ask for your help? Inkstick is changing the face of foreign policy, but we can’t do it without you. If our content is something that you’ve come to rely on, please make a tax-deductible donation today. Even $5 or $10 a month makes a huge difference. Together, we can tell the stories that need to be told.