China is the world’s leading promoter of cybercrime, according to all reports. But there is a small Asian country that is steadily gaining importance in this industry: North Korea. The hermetic state, strangled by trade embargoes, has found its main source of foreign currency in online criminal activity. Analysts agree that the structure of the hacker groups allegedly funded by Pyongyang is growing in complexity: specialized groups are being created for different types of cyberattacks, coordinating with each other. They also emphasize that their techniques are becoming increasingly sophisticated. Incidents linked to North Korea increased by 130% in 2025 compared to the previous year, according to a recent CrowdStrike report. These included the theft of $1.46 billion worth of cryptocurrency from the Bybit platform, considered the largest cyber heist in history.
Countries such as China, Russia, Iran, Israel, and the U.S. unofficially sponsor teams of hackers to carry out sabotage or obtain valuable information. They are useful for conducting covert operations, as it is extremely difficult to attribute authorship of incidents in the cyber arena. Pyongyang’s case is different: it uses its group of computer experts, known by the codename Lazarus, not so much for intelligence gathering as for making money.
The Beloved and Respected Leader — one of the official ways of referring to Kim Jong-un — beckoned years ago to cybercrime as a source of income to help him survive international sanctions imposed on his country. “Despite improved trade relations with Russia, the Democratic People’s Republic of Korea [North Korea’s official name] needs additional revenue to finance its ambitious military plans, which include building new destroyers, manufacturing nuclear-powered submarines, and launching new reconnaissance satellites,” states the CrowdStrike report.
The Lazarus Group is responsible for some of the largest cryptocurrency heists ever revealed: the second-largest heist in history, which netted $625 million in a single transaction, was their doing. They also specialize in infiltrating employees into strategic U.S. companies, both to make money and to steal trade secrets. Recently, they added a powerful tool to enhance the effectiveness of their attacks: generative AI.
Fabricating employees with deepfakes
There is evidence of the mass infiltration of North Korean remote workers into Western companies since at least 2019, when the pandemic triggered a surge in remote hiring. A recent report by Google Threat Intelligence, the cybersecurity division of the tech giant, identifies the intrusion of these agents as employees in arms and aerospace companies as one of the major threats facing the defense industry.
The new development is that they are exploiting generative AI to refine these infiltrations. “Agents use fake identities and AI-generated deepfakes to circumvent video interviews, ultimately funneling hundreds of millions of dollars in revenue to the regime,” says Cloudflare’s 2026 Global Threat Report.
Remote work is commonplace in many IT-related positions. North Koreans, who are prohibited from working in the U.S., have been posing as US citizens for at least two years to obtain employment there, mostly in technology companies or banks. To do this, they use so-called laptop farms, or groups of computers purchased in the U.S. and installed in homes or offices there, which are then operated remotely from abroad. Through this system, North Korean hackers obtain U.S. IP addresses (the device identifier), thus overcoming the location barrier.
Once the machine is obtained, the supposed employee must be fabricated. To enhance its legitimacy, “thousands of operators create digital personas with their respective LinkedIn or GitHub usernames, often renting the credentials of complicit U.S. citizens,” says the Cloudflare report. The latest addition to their arsenal of tools for deceiving target companies is “the use of deepfakes to pass job interviews.”
A CrowdStrike analysis concludes that generative AI allows North Korean hackers to industrialize what was once manual labor: it helps them create credible digital footprints and maintain consistent interactions over time. In addition to deepfakes in interviews, they create AI-powered resumes and construct fake identities. Cloudflare experts have also documented “the use of forged videos and audio to impersonate executives of the target company during Zoom calls aimed at employees” to get them “to download malicious payloads.”
A growing structure
CrowdStrike’s lab has detected two new groups operating under the Lazarus umbrella: Pressure Chollima and Golden Chollima. “These divisions focus on cryptocurrencies, while other existing groups, such as Labyrinth Chollima, continue to focus on gathering supporting intelligence. The shared infrastructure and tools actually suggest coordination rather than fragmentation,” explains Adam Meyers, head of cybercrime operations at CrowdStrike.
Meyers’ team identifies seven distinct factions within Lazarus, each with well-defined objectives and specializations, but all sharing even a code repository they use to prepare their attacks. “The activity of the North Korean-linked groups reflects an acceleration and refinement of their tactics, rather than a fundamental change in them. The use of AI is part of that evolution. It’s a force multiplier that increases scale, realism, and operational efficiency,” the expert adds.
“The North Korean regime actively trains elite hackers for Office 121 [an army unit of computer experts],” writes Australian author Anna Fifield in her book The Great Successor (Captain Swing, 2021), which delves into the little-known life of Kim Il-sung’s grandson. “Students who show potential in this area, some as young as 11, are sent to special schools and then to Pyongyang Automation University,” where “over five years they are taught to hack systems and create computer viruses.” The effort is paying off.
Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition
Click Here For The Original Source.
