North Korea's Cyber Operations

Building a Cyber Army

North Korea's cyber capabilities are managed primarily by the Reconnaissance General Bureau (RGB), the country's main intelligence agency. Bureau 121, the RGB's cyber warfare unit, is estimated to employ over 6,000 hackers operating from North Korea, China, Russia, India, and Southeast Asia. These operatives are selected from elite universities as teenagers, undergo years of intensive training, and operate in cells stationed abroad where they have better internet access than is available inside North Korea.

The program's origins trace to the 1990s, when Kim Jong Il recognized that cyber capabilities offered an asymmetric advantage for a country that could never match the conventional military spending of the US or South Korea. Training centers like Mirim College (now Kim Il University of Military Technology) produce specialists in offensive hacking, social engineering, and cryptocurrency manipulation. North Korea spends a significant portion of its limited resources on this program because the return on investment is extraordinary — a successful bank heist can generate more foreign currency than a year of legitimate exports.

Major Operations

North Korean cyber units — particularly the group known as Lazarus Group — have conducted some of the most audacious cyber operations in history. In 2014, they attacked Sony Pictures Entertainment in retaliation for the film The Interview, which depicted the assassination of Kim Jong Un. The attack destroyed data, leaked confidential emails, and caused an estimated $35 million in damage.

In 2016, North Korean hackers attempted to steal $1 billion from the Bangladesh Central Bank through the SWIFT international banking system. A spelling error in one transfer request triggered a review that stopped most of the theft, but $81 million was successfully stolen — one of the largest bank heists in history. The WannaCry ransomware attack in 2017, attributed to North Korea by the US, UK, and other governments, infected over 200,000 computers in 150 countries and crippled Britain's National Health Service.

Since 2017, North Korea has pivoted heavily toward cryptocurrency theft. The Lazarus Group and related units have stolen an estimated $3 billion in cryptocurrency through exchange hacks, decentralized finance exploits, and social engineering campaigns targeting blockchain developers. The $620 million Ronin Network hack in 2022 was attributed to Lazarus Group. These funds are laundered through mixing services and converted to fund weapons programs — the UN Panel of Experts estimated that cyber theft finances a significant portion of North Korea's missile development.

Strategic Implications

North Korea's cyber program has fundamentally altered the economics of the country's confrontation with the international community. Traditional sanctions assumed that cutting off trade and financial access would starve the regime of resources. Cyber theft circumvents this logic entirely — North Korea can steal more money through a single successful hack than it earns from months of sanctions-busting coal exports.

The program also demonstrates how cyber capabilities can be a strategic equalizer. North Korea's GDP is roughly equivalent to a mid-sized American city, yet its cyber operations cause billions in damage to the world's largest economies. Attribution is difficult, retaliation is complicated by the risk of escalation, and the low cost of offensive cyber operations relative to their impact makes this a domain where the asymmetry favors a smaller, more reckless actor. For policymakers, North Korea's cyber program represents a challenge that sanctions alone cannot address.