North Korea’s cyber campaigns are accelerating in scale, sophistication and ambition. With more than $6 billion in stolen cryptocurrency since 2017, including the record-breaking Bybit heist in February 2025, the trend line is clear: cybercrime has become the DPRK’s most reliable sanctions workaround.
Recent operations show a decisive shift from direct exchange breaches to supply chain compromises and developer environment targeting. The Bybit heist - executed through Safe{Wallet} infrastructure - demonstrates how attackers now penetrate the ecosystem itself, not just its endpoints.
What's in This Report
Securin’s analysts have identified 39 distinct, active North Korean threat groups, the majority of them focused on revenue generation. Between them, they have exploited 71 high-impact vulnerabilities, built multi-platform malware tailored for crypto developers, and refined social engineering and supply chain compromise into repeatable tactics.
Characteristic
Data
Strategic consequence
Threat groups identified
39
Large, specialized ecosystem operating in parallel
Formal RGB attribution
~10%
Centralized strategy, even when direct attribution is limited
Persistent focus on high-impact enterprise/browser/dev tools
Financial impact
$6B+ since 2017
Sustainable revenue stream for state programs
Platforms targeted
Windows, macOS, Linux
Tailored tools for developer & crypto environments
The consequences go beyond individual exchanges or investors. By systematically targeting the foundations of digital finance, North Korea (DPRK) has introduced a new category of global risk: state-driven financial destabilization through cybercrime.
Bottom line: This is deliberate statecraft, not opportunism – and poses systemic risk to digital finance and global market confidence.
North Korea’s cyber apparatus has matured from a loose collection of covert teams to an industrialized revenue engine. What began as politically motivated disruption has been methodically retooled into a repeatable playbook where scale and repeatability - not novelty for its own sake - are landmark strengths. The pattern is simple and strategic: identify high-value developer and financial targets, exploit a small set of high-impact vulnerabilities, weaponize long-form social engineering to crack open the door, and move funds through high-speed, automated chains.
The backbone of this ecosystem is the Lazarus Group - not a single entity, but an umbrella housing multiple specialized sub units. Some, like APT38/BlueNoroff are optimized for high-value financial theft; others, like TraderTraitor, focus on infiltrating blockchain networks through human relationships. Kimsuky adapts classic espionage to new financial ends. Together, they form the operational spine of North Korea’s cyber strategy, blending theft, intelligence and laundering into a coordinated system.
Inside the World’s Most Profitable State-Sponsored Cybercrime Operation
The record-breaking Bybit heist - executed through Safe{Wallet} infrastructure - marked a turning point: North Korean operators now penetrate the ecosystem itself, not just individual exchanges and endpoints. The FBI’s attribution of the Bybit attack to Trader Traitor confirmed both the group’s technical reach and its systematic reliance on supply chain compromise over direct penetration.
TraderTraitor is the sharp edge of this strategy. By weaponizing long-term social engineering and professional networks, it has repeatedly infiltrated blockchain companies. Operators create fake firms, build professional networks over months, then launch precision supply chain attacks. Its success rate underscores a growing truth: human trust is now as exploitable as unpatched code.
Kimsuky, traditionally an espionage arm, is now fully embedded in the revenue machine. Its adoption of AI-driven phishing and vulnerability research - along with its $147.5 million laundering operation through Tornado Cash in March 2024 - shows how intelligence units have been repurposed to generate funds. This crossover reflects a deeper structural shift: traditional espionage and financial crime are no longer separate missions.
APT 38 / BlueNoroff units have scaled state-level financial theft into an industrial process, executing high-value heists and pioneering techniques for large transfers and cash-out mechanisms that later units built on.
The technical trajectory across these campaigns is unmistakeable:
• Zero-day exploitation paired with rapid laundering.
• Multi-platform malware built for developer environments.
• Systematic supply chain attacks undermining the trust layer of digital finance.
Bottom line: This convergence signals not just opportunistic theft but a sustained state-level strategy to destabilize financial systems for regime survival.
Threat Actor Distribution and Capabilities
As we’ve seen, North Korea’s threat ecosystem is defined by financial crime at scale. While most state-sponsored cyber efforts prioritize espionage, 65% of DPRK-linked groups are revenue-focused, with cryptocurrency theft as their primary vector.
As the chart above shows, three features stand out:
Financial-first posture: With more than two-thirds of operations dedicated to generating illicit funds, DPRK has effectively industrialized sanctions evasion.
Espionage as a secondary mission: Roughly a quarter of groups continue to pursue traditional intelligence, but increasingly as a complement to, not a driver of, activity.
Hybridization and adaptability: The 10% operating in both domains highlight the strategic blending of state objectives with criminal methods.
Category
Count
Percentage
Strategic Significance
Financial Crime Focus
25
65%
Revenue generation and sanctions evasion
Espionage Operations
10
25%
Traditional intelligence collection
Hybrid Operations
4
10%
Dual-mission state and criminal activities
Cryptocurrency Targeting
30+
75%+
Primary revenue generation vector
Multi-Platform Capabilities
35+
90%+
Windows, macOS, and Linux operations
Why the macOS fixation?
Over 90% of groups run multi-platform toolchains, including bespoke malware for macOS - an unusual investment that reflects a strategic recognition that many blockchain developers and cryptocurrency professionals use Apple systems.
While most state-aligned actors prioritize Windows tooling, DPRK is unusual in consistently building advanced macOS malware for a target ‘market’ that skews heavily Apple. We see this in both InvisibleFerret and KandKorn - both macOS-targeting malware families.
Engineered for Revenue: Tactics that Scale
North Korea’s campaigns are engineered to maximize return-on-effort: pick high-impact CVEs, compromise developer/trust layers, exploit human vectors, and launder quickly.
Rather than spray for zero-days, DPRK selects CVEs offering maximum privilege or persistence for minimum complexity.
Top Vulnerabilities Exploited (by Risk Index Score)
CVE ID
Risk Score
CVSS v3
Product/Vendor
CISA KEV
Exploitation Impact
CVE-2018-4878
10.0
9.8
Adobe Flash Player
✓
Remote Code Execution
CVE-2023-4966
9.85
7.5
Citrix NetScaler
✓
Information Disclosure
CVE-2024-1709
9.67
10.0
ConnectWise ScreenConnect
✓
Authentication Bypass
CVE-2023-42793
9.64
9.8
JetBrains TeamCity
✓
Authentication Bypass
CVE-2024-4947
9.61
8.8
Google Chrome
✓
Use After Free
CVE-2017-0144
9.59
8.8
Microsoft Windows SMB
✓
Remote Code Execution
CVE-2023-46604
9.58
9.8
Apache ActiveMQ
✓
Remote Code Execution
CVE-2023-22518
9.58
9.8
Atlassian Confluence
✓
Improper Authorization
CVE-2022-41128
9.52
8.8
Windows Scripting
✓
Remote Code Execution
CVE-2024-7971
9.5
8.8
Google Chrome
✓
Type Confusion
Tactical Reading: The emphasis on browser vulnerabilities (Chrome) and enterprise collaboration tools (Confluence, TeamCity) indicates targeting of developer and financial sector workstations for operations - providing direct access to liquidity and developer infrastructure. . Prioritize browser and developer-tool patching – these are proven pivot points into crypto infrastructure.
Industry Targeting Distribution
Here, the financial-first strategy is visible, with the heaviest pressure falling on information technology and financial services sectors. Government, defense, and manufacturing's lower weight reflects intelligence collection and technology transfer objectives.
Industry Sector
Groups Targeting
Strategic Rationale
Information Technology
21
Cryptocurrency and blockchain company targeting
Financial Services
17
Direct revenue generation and traditional banking
Government Facilities & Public Sector
10
Strategic intelligence and diplomatic intelligence
Defense
9
Military technology and weapons program intelligence
Manufacturing
9
Industrial espionage and technology transfer
Healthcare & Public Health
8
Biological and pharmaceutical intelligence
Communications
7
Infrastructure reconnaissance and intelligence
Energy
7
Critical infrastructure targeting
Education
6
Academic research and intellectual property
Transportation & Logistics
5
Infrastructure intelligence and disruption
Top Attack Techniques (MITRE ATT&CK)
North Korea’s playbook blends classic social engineering with supply-chain precision. The data shows that phishing and valid account abuse dominate initial access, reflecting how TraderTraitor-style long-cons and help-desk impersonations have become hallmarks of DPRK operations.
Once inside, groups pivot to exploiting public-facing apps (T1190) and supply chain compromise (T1195.002, T1195.001) - a calculated move up the trust chain. This is less about opportunistic smash and grab, and more about embedding inside the ecosystem itself. The techniques map reveals a strategy of flexibility over novelty:
• If defenses are weak, exploit an app.
• If defenses are hardened, exploit the people.
• If the surface is locked, compromise the supplier.
The result is a modular, repeatable chain: human compromise + technical foothold + ecosystem pivot. This modularity explains why DPRK has been able to execute operations ranging from single-exchange thefts to the billion-dollar Bybit attack.
Technique ID
Technique Name
Groups Using
Operational Purpose
T1566.002
Phishing: Spearphishing Link
15
Social engineering and credential theft
T1078
Valid Accounts
15
Persistent access maintenance
T1566.001
Phishing: Spearphishing Attachment
12
Malware delivery and initial access
T1190
Exploit Public-Facing Application
8
Cryptocurrency exchange compromise
T1195.002
Supply Chain: Software Supply Chain
7
Trusted software compromise
T1195.001
Supply Chain: Development Tools
5
Developer environment targeting
T1189
Drive-by Compromise
5
Watering hole and legitimate site compromise
T1033
System Owner/User Discovery
4
Cryptocurrency wallet identification
T1203
Exploitation for Client Execution
4
Browser and application exploitation
T1561.002
Disk Structure Wipe
4
Destructive attacks and evidence removal
Top Tools and Payloads
North Korea’s malware arsenal is built for target fidelity rather than shock value. Instead of headline-grabbing zero-days, the groups invest in custom, platform-specific tools tuned to where their victims actually live.
As mentioned earlier, the standout trend is the focus on macOS: malware families like InvisibleFerrer, KandyKorn and RustBucket are tailored to environments where crypto engineers do their daily work. This is unusual in the state-actor landscape, and highlights DPRK’s willingness to build tools for nice-but-lucrative ecosystems.
Tool/Malware
Groups Using
Primary Function
Sophistication Level
InvisibleFerret
7
macOS Backdoor, Cryptocurrency Targeting
Advanced
BeaverTail
7
Downloader, Multi-stage Infection
Advanced
KandyKorn
6
macOS RAT, Cryptocurrency Focus
Advanced
RustBucket
6
macOS Malware, Developer Targeting
Advanced
DTrack
5
Banking Trojan, ATM Targeting
Advanced
NukeBot
5
Banking Trojan, Financial Institution Targeting
Advanced
Mimikatz
5
Credential Harvesting
Advanced
GoldBackdoor
4
Remote Access Trojan
Advanced
Jokra
4
Remote Access Trojan
Intermediate
Black RAT
4
Remote Access Trojan
Intermediate
Windows is far from neglected; DTrack and NukeBot continue to target banks and ATMs, while staples like Mimikatz enable credential harvesting and lateral movement. But the strategic signal is clear: tooling evolves with the industry North Korea exploits most.
This approach results in a mixed toolkit:
• Custom RATs and backdoors for persistence in developer environments.
• Banking trojans for direct financial theft.
• Credential harvesters for identity subversion.
Bottom line: The toolchain mirrors the operational doctrine: adapt to the victim, prioritize the financial yield, and keep the footprint lean enough to repeat.
Top Vendors Targeted
North Korea’s vendor targeting shows a deliberate path into the cryptocurrency supply chain. Developer platforms like JetBrains and Atlassian sit alongside creative tools like Adobe, mapping directly onto the workflows of blockchain engineers and crypto firms.
By focusing on the software their targets rely on daily - from CI/CD pipelines to document handling - DPRK ensures that compromise of a single vendor can cascade into multiple organizations.
Top Weaknesses Targeted (CWEs)
North Korea’s exploitation strategy is dominated by memory corruption and authentication flaws - weaknesses that provide immediate execution or privilege escalation.
There’s a clear pattern: DPRK actors don’t chase breadth, they chase leverage. They prioritize weaknesses that turn access into control, converting single footholds into operational dominance:
• Memory corruption (CWE-119, CWE-787, CWE-843, CWE-416) remains the backbone, enabling code execution and bypassing defenses through type confusion and use-after-free vulnerabilities.
• Authentication weaknesses (CWE-287, CWE-592, CWE-306) enable persistence and privilege escalation, giving attackers the keys to stay inside compromised systems.
• Input validation flaws (CWE-20, CWE-22, CWE-77, CWE-502) expand their reach from arbitrary command execution to path traversal and deserialization.
CWE ID
Weakness Name
Vulnerability Count
Exploitation Impact
CWE-119
Memory Buffer Boundary
44
Memory corruption, arbitrary code execution
CWE-20
Improper Input Validation
27
Input manipulation, injection attacks
CWE-843
Type Confusion
23
Memory corruption, privilege escalation
CWE-416
Use After Free
22
Memory corruption, code execution
CWE-787
Out-of-bounds Write
17
Buffer overflow, system compromise
CWE-22
Path Traversal
8
Unauthorized file access
CWE-77
Command Injection
4
Arbitrary command execution
CWE-592
Authentication Bypass
4
Authentication circumvention
CWE-502
Deserialization
4
Remote code execution
CWE-306
Missing Authentication
3
Access control bypass
Bottom line: Sophisticated exploitation of trust models – memory safety and authentication - is how North Korea turns vulnerabilities into repeatable revenue streams. The focus on type confusion and use-after-free vulnerabilities indicates advanced exploit development capabilities targeting modern memory protection mechanisms.
Detection is Good, but the Gap is Lethal: Scanner Coverage Analysis
Scanner coverage for North Korean-exploited vulnerabilities shows strong baseline coverage, with over 80% of CVEs covered by the major commercial scanners. As long as teams act, most routine disclosures can be caught and remediated.
The real trouble is the gap: 8-15% of exploited vectors remain outside reliable scanner coverage, and DPRK explicitly focused on that residual surface. These are the recently disclosed or zero-day class vulnerabilities that deliver the shortest path from initial access to high-value compromise.
Scanner Provider
Coverage Distribution
Effectiveness Rating
Nessus
92%+ coverage
Excellent detection capability
Qualys
90%+ coverage
Excellent detection capability
Nexpose
85%+ coverage
Good detection capability
OpenVAS
82%+ coverage
Good detection capability
Nuclei
70%+ coverage
Moderate detection capability
This is not so much a tool problem as an operational assumptions issue. Scanners tell you what you already know to look for; DPRK weaponizes what you haven't yet learned to prioritize.
Bottom line: detection gaps are attack surfaces, not residual risk. If you treat scanner coverage as a comfort metric, you could end up in trouble. Stop treating 8-15% gaps as acceptable, treat them as the adversary’s preferred vector and close it with intelligence-led remediation and layered detection.
Risk Mitigation Recommendations
Immediate Actions:
• Prioritize patching of browser vulnerabilities frequently exploited by North Korean actors, particularly Chrome and Safari vulnerabilities used in cryptocurrency targeting
• Implement enhanced social engineering awareness training specifically focused on cryptocurrency and blockchain industry targeting tactics
• Deploy behavioral analytics specifically tuned for cryptocurrency theft indicators and abnormal financial transaction patterns
• Establish strict network segmentation between development environments and financial/cryptocurrency systems
Strategic Recommendations:
• Implement comprehensive supply chain security programs with specific focus on cryptocurrency and financial technology vendors
• Enhance threat intelligence sharing frameworks specifically focused on North Korean financial cybercrime and cryptocurrency theft indicators
• Develop incident response capabilities specifically designed for cryptocurrency theft scenarios and rapid asset recovery procedures
Future Threat Projections
North Korean cyber capabilities are projected to continue expanding in scale and sophistication, with particular focus on:
• Financial Cybercrime: Expect an intensification of financially motivated cyber operations, specifically targeting cryptocurrency exchanges, DeFi platforms, and blockchain companies. This will involve the continued exploitation of high-impact vulnerabilities and sophisticated social engineering tactics.
• Supply Chain Attacks: North Korean actors will likely continue to leverage complex supply chain compromises to gain access to sensitive networks and systems, particularly within the cryptocurrency and financial technology sectors.
• Advanced Malware Development: The development of sophisticated, multi-platform malware (including for macOS and Linux) will continue, demonstrating advanced exploit development capabilities and a deep understanding of target environments.
• AI/ML Integration: North Korean groups, like Kimsuky, are expected to further integrate artificial intelligence and machine learning into their operations, enhancing the effectiveness of social engineering, vulnerability research, and automated exploitation.
• Money Laundering Sophistication: Continued evolution of cryptocurrency laundering techniques and infrastructure will challenge traditional anti-money laundering efforts, with an emphasis on rapid conversion and mixing of stolen assets.
Long-term strategic objectives appear focused on continued revenue generation for state activities and weapons programs through cybercrime, combined with intelligence collection for geopolitical objectives. This sustained hybrid state-criminal operational model will provide North Korea with continued operational flexibility, attribution challenges, and financial sustainability, while expanding overall operational capacity beyond traditional state resources.
Share this post on:
Threat Actors Intelligence Report: North Korea | Securin
