North Korea, long isolated by international sanctions, is quietly building a cyber empire that rivals the sophistication of state-backed operations worldwide. According to a recent report highlighted by El Pais, incidents linked to North Korean cybercriminals surged by 130 percent in 2025, signaling a dramatic escalation in both volume and complexity. While nations like China, Russia, Iran, Israel, and the United States unofficially sponsor hackers for espionage or sabotage, Pyongyang’s hackers, particularly the infamous Lazarus Group, are primarily focused on generating revenue to sustain the regime.
The scale of these operations is staggering. The Lazarus Group is credited with some of the largest cryptocurrency heists ever recorded, including the theft of $1.46 billion from the Bybit platform—the largest cyber heist in history—and a separate $625 million takedown, marking the second-largest. Beyond financial theft, the group infiltrates U.S. companies to steal trade secrets, particularly in technology and defense sectors. Analysts note that the sophistication of these attacks is growing, aided by generative artificial intelligence, which allows for unprecedented precision in impersonation and fraud.
Remote work, which surged during the COVID-19 pandemic, has become a prime avenue for infiltration. North Korean hackers have been masquerading as U.S. employees for years, gaining access to sensitive corporate networks. Using “laptop farms”—U.S.-based computers operated remotely from North Korea—they obtain legitimate IP addresses and create digital personas complete with LinkedIn and GitHub profiles. Recent developments include the use of AI-generated deepfakes to pass video interviews, AI-crafted resumes, and even forged videos and audio impersonating company executives during virtual meetings. According to Cloudflare’s 2026 Global Threat Report, these techniques funnel hundreds of millions of dollars to Pyongyang while evading conventional security checks.
CrowdStrike, a leading cybersecurity firm, underscores that North Korean cyber operations are now highly structured. Under the Lazarus umbrella, at least seven distinct groups operate, each with specialized objectives but sharing infrastructure and code repositories. Newly detected factions, such as Pressure Chollima and Golden Chollima, focus specifically on cryptocurrency theft, while others, including Labyrinth Chollima, gather supporting intelligence. Adam Meyers, CrowdStrike’s head of cybercrime operations, notes that “the use of AI is a force multiplier that increases scale, realism, and operational efficiency” for these operations.
The roots of this cyber expertise lie in North Korea’s systematic cultivation of talent. According to Australian journalist Anna Fifield in her book The Great Successor, students as young as 11 are identified for potential in hacking and computer science. They attend specialized institutions like Pyongyang Automation University, where over five years they learn to develop viruses, conduct cyberattacks, and master digital infiltration techniques. Meyers emphasizes that the regime’s investment in these elite hackers is deliberate, designed to generate revenue and support ambitious military programs, including the construction of destroyers, nuclear-powered submarines, and new reconnaissance satellites.
El Pais reports that North Korea’s approach differs from traditional state-sponsored hacking. Whereas other countries primarily exploit cyber operations for espionage, Pyongyang uses them as a critical economic lifeline. With international trade severely restricted, cybercrime has become a reliable source of foreign currency, sustaining not only military ambitions but also the survival of the regime itself. Analysts warn that as these operations become increasingly sophisticated, they pose a growing threat to global financial networks and critical industries.
Generative AI has amplified the efficiency of these operations. CrowdStrike observes that AI enables hackers to industrialize processes that were previously manual, maintaining credible online identities and continuous engagement with target organizations. The integration of deepfakes, automated social engineering, and AI-powered account creation represents a new frontier in cybercrime, blurring the lines between human and machine-driven deception. Cloudflare notes that the use of forged videos and audio in executive impersonation allows North Korean agents to manipulate employees into downloading malware, amplifying the potential damage.
The rise of Pyongyang’s cyber industry demonstrates a strategic adaptation to economic and political isolation. By blending traditional hacking with AI-driven deception, North Korea is not only bypassing sanctions but reshaping the global cyber landscape. As Adam Meyers of CrowdStrike points out, the Lazarus Group’s activities “reflect an acceleration and refinement of their tactics, rather than a fundamental change,” but their increasing sophistication is enough to make them a formidable player in international cybercrime.
While governments around the world struggle to keep pace with emerging threats, North Korea continues to invest in its next generation of elite hackers, turning classrooms into incubators for global-scale cyber operations. What began as a survival tactic under heavy sanctions has evolved into a multibillion-dollar enterprise, leveraging technology, AI, and human ingenuity to generate profits and undermine international security. The implications are clear: in the digital era, isolation and sanctions are no longer enough to contain a nation that has mastered the art of cybercrime.
