Full Report
North Korean hackers have stolen more than $3 billion in the past three years, the U.S. Treasury Department announced on November 4. The department issued sanctions on two North Korean individuals based in their home country and six of their enabling partners based in China and Russia, along with two North Korean banks responsible for enabling some…
Analysis Summary
# Threat Actor: North Korean State-Sponsored Cyber Actors (DPRK)
## Attribution & Identity
* **Primary Attribution:** Democratic People’s Republic of Korea (DPRK) state-sponsored entities.
* **Enablers/Partners:** Two North Korean individuals sanctioned while based in North Korea; six enabling partners sanctioned in China and Russia; two North Korean banks.
* **Associated Oversight:** Activity is carried out under the supervision, direction, and for the benefit of entities banned by the UN for involvement in DPRK's unlawful Weapons of Mass Destruction (WMD) and ballistic missile programs.
## Activity Summary
* **Financial Theft:** Stole more than **$3 billion** in the past three years through cyber means.
* **Laundering:** Designated individuals were involved in processing the results of **crypto heists** and laundering millions of dollars derived from illicit activities.
* **Worker Exploitation:** Laundering derived from the **salaries of North Korean IT workers** employed remotely throughout the global economy.
* **Military Funding:** The proceeds from these cyber activities finance Pyongyang’s **military goals** (nuclear and ballistic missile programs).
* **Historical Context:** Historically relied on forced labor to generate funds; now increasingly relies on its cyber capabilities.
## Tactics, Techniques & Procedures
* **Financial Crime (Primary):** Execution of **crypto heists**.
* **Financial Crime (Secondary):** **Laundering** of illicit proceeds via sanctioned financial institutions and facilitators.
* **Supply Chain/Employment Compromise:** North Korean IT workers secure **remote IT positions** at global tech companies (including Fortune 500 companies).
* **Camouflage/Identity Deception:** Workers use methods such as **AI deepfakes** to conceal their true identities and obscure their national origin.
* **Sabotage:** Workers are reported to sabotage their nominal employers.
## Targeting
* **Sectors:** Global Tech Companies (including Fortune 500), and nearly every industry that hires remote talent is threatened by the worker scheme.
* **Geography:** Targets appear global, with facilitators/enablers identified in **China** and **Russia** helping to process illicit funds. The workers are placed in remote roles across various countries.
* **Victims:** Global tech companies are the primary victims of the IT worker scheme; financial services/exchanges are victims of crypto heists.
## Tools & Infrastructure
* **Financial Tools:** Exploitation of **cryptocurrency** ecosystems for theft and subsequent money laundering.
* **Identity Tools:** Utilization of **AI deepfakes** for operational security/concealment.
* **Infrastructure:** Facilitation provided by sanctioned **North Korean banks** and supporting services/partners in China and Russia.
## Implications
The growth in both the size and sophistication of DPRK cybercrime demonstrates a highly effective, state-directed strategy to generate hard currency necessary to fund prohibited WMD and missile development programs, circumventing international sanctions primarily through crypto theft and sophisticated labor export schemes.
## Mitigations
* **Due Diligence on Remote Workers:** Rigorous background checks and continuous monitoring for remote IT staff, employing advanced methods (beyond standard KYC/BKYC) to verify true identity, especially given the use of deepfakes.
* **Endpoint Security:** Implement strong endpoint controls and behavior monitoring to detect potential insider sabotage from compromised remote workers.
* **Cryptocurrency Tracing:** Enhance transaction monitoring to detect and trace funds derived from suspected North Korean crypto heists into affiliated exchange services or laundering pathways.
* **Sanctions Enforcement:** Monitor and target the networks of individuals, banks, and facilitators (especially those in China and Russia) identified as assisting in the laundering and operational support of DPRK cyber operations.