top of page


Emma Palmberg and Sara Kulic; Illicit Finance and Economic Threats Team

Week of November 15, 2021

North Korea engages in illicit financial activity to gain funds[1]

The use of cyber technology for illicit financial activity is a growing global trend, and actors associated with the Democratic People’s Republic of Korea, commonly referred to as North Korea, are involved in stealing and laundering cryptocurrency.[2] The increasing use of cryptocurrencies on a global level and the lack of crypto regulation likely facilitate illicit cyber activities. North Korea’s cyber operations are global, spanning a variety of banking and other financial institutions, including in the US, Africa, and Southeast Asia.[3] These operations appear to not only help cover up the country’s illicit activity but are likely meant to gain funds for North Korea’s weapons arsenal.[4] It is likely that China and Chinese companies have assisted North Korea’s illegal cyber and financial enterprises, along with individuals from other countries knowledgeable in developing cyber technology.[5] As North Korea externalizes its cyber operations, the chances for detection and disruption of these threats by international intelligence and law enforcement organizations are likely to decrease. It is very likely that North Korea’s cyber operations will grow in quantity and quality, with major monetary thefts in the future, representing a global threat.

North Korea has gained $2 billion USD of cryptocurrency through cyberattacks and used money laundering to change cryptocurrency into other currency forms.[6] The United Nations (UN) believes these funds are meant for North Korea’s weapons program.[7] Funds acquired through illicit cyber operations are likely being used for developing the country’s military capabilities. In September 2021, North Korea conducted a long-range cruise missile test, causing global concern.[8] The test indicates that North Korea has likely continued to develop and strengthen its weapons arsenal despite economic hardships likely caused by sanctions and the COVID-19 pandemic. Some of the funds for advancing North Korea’s military capabilities were likely obtained through illicit cyber activities. If the funds are going towards the country’s weapons, North Korea will likely continue to grow its weapons arsenal in quantity and capability. This almost certainly causes security concerns for several countries, including South Korea, the US, and Japan. This fear will very likely lead to greater political tension between these countries, causing greater shows of force in Southeast Asia and a potential arms race.

Banks and financial institutions have recognized the danger posed by North Korean cyberattacks, and the attacks have started to focus on virtual currency exchange houses, producing more illicit proceeds than attacks against financial institutions.[9] Financial institutions have likely increased their security and monitoring of potential illicit activities, which very likely deterred North Korea from further attacks. The North Korean government is allegedly associated with various cyber attacks that focus on cryptocurrency; three North Koreans face charges by the US government related to fraud and money laundering and are accused of using cyberattacks to steal $1.3 billion USD from banks and businesses across the world for North Korea.[10] As countries work towards legalizing and formally accepting cryptocurrency as legal tender, it is likely that the regulation of cryptocurrency will become more difficult. Due to the lack of regulation and limited traceability of cryptocurrency transactions, distinguishing between legal and illegal activity will likely become more time-consuming and complex. The global use of cryptocurrency is very likely to increase, giving potential threat actors greater access to cryptocurrency, which they will likely attempt to steal and launder. The global efforts for cryptocurrency regulation will likely be followed by enforcement issues as countries adapt to the new cyber financial market. Potential threat actors, including countries such as North Korea, will likely exploit the opportunity to further develop methods of cyber attack for illegal financial schemes with a reduced likelihood of detection.

By shifting its focus to crypto exchanges, North Korea successfully attacked the same platforms multiple times, such as Bithumb, headquartered in Seoul.[11] The growing use of cryptocurrency is likely to continue to be followed by emerging cryptocurrency exchange platforms, some of which are unlikely to have strong security systems. Inadequate security results in a likely significantly lower chance of detection than with attacks on financial institutions. By the time crypto-exchange platforms and legal institutions across the globe develop a framework of enforcement, it is likely threat actors will have already moved on to more precise, complicated methods to steal and launder cryptocurrency.

North Korean hacker groups are very likely to be associated with the country’s government. It is believed North Korea’s Reconnaissance General Bureau, Unit 180, is trained in cyber attack methodologies to steal foreign funds for the government.[12] The Lazarus Group likely has ties to the North Korean government and was close to stealing $1 billion USD from Bangladesh Bank in 2016.[13] If North Korea was already associated with hacker groups in 2016, it is almost certain that these relationships have continued to evolve, with a recognition that intelligence operations can successfully include cyber warfare, including for profit. With little known information about North Korean intelligence, there is a roughly even chance that North Korea has a greater cyber operational capacity than has been previously proven by the international intelligence community.

While North Korea appears to be developing its own cyber capabilities, it seems the country has utilized external means for its hacking and money laundering operations.[14] China is known to influence these operations, with several US banks noting that North Korea appeared to be laundering money through shell companies and companies associated with China, including Dandong Hongxiang Industrial Development Corp., and Dandong Sanjiang Trading Co. Ltd., both of Dandong, China.[15] JP MorganChase and Bank of New York Mellon were likely used as well.[16] It is thought that some North Korean cyber activity, while likely conducted predominantly in Pyongyang, is also conducted in other parts of Southeast Asia and China, particularly in Dandong.[17] Collaboration between China and North Korea very likely suggests that North Korea’s political, economic, and military ties with China will continue to strengthen. This strengthening will likely further push other countries, like South Korea and the US, to find a means to cut off the financial support between China and North Korea. The countries are likely to respond by implementing more sanctions on North Korea or attempting to put economic and diplomatic pressure on China. However, if North Korea’s involvement with cryptocurrency remains, then typical economic methods like sanctions to hinder these connections will likely be less effective.

China is North Korea’s most important trading partner, and Chinese exports rose significantly in October 2021 following the ease of border restrictions due to COVID-19.[18] As Dandong is likely a hotspot for North Korea’s illicit cyber financing, the city’s proximity likely means that there is enough local support for the North Korean illicit cyber activities, along with economic benefits through trade. These mutual interests are likely to impede attempts to prevent North Korea’s illicit activities. It is very likely that the Chinese government may be aware or supportive of the activity in Dandong, which would ensure that China will likely continue to be linked to North Korea for financial reasons. Chinese companies’ assistance towards North Korea very likely creates linkage issues for the global intelligence community, as it becomes more difficult to attribute businesses to countries. These companies provide a measure of protection for North Korea to continue its illicit financing as it takes time to separate legitimate from illegitimate financial entities. If cryptocurrency is the target of illegal transactions associated with these nations, it provides further legal obscurity in attempting to delineate between legal and illegal, making any sort of international enforcement very unlikely.

Beyond China, North Korea likely seeks other outside education to improve its cyber intelligence work. American Virgil Griffith pled guilty on September 27, 2021, in US court to “conspiring to violate the International Emergency Economic Powers Act,” as he gave a presentation about cryptocurrency blockchain technology in Pyongyang, which also included information on money laundering and evading sanctions.[19] Two Chinese nationals were charged by the US Department of Justice on March 2, 2020 with money laundering cryptocurrency,[20] with funds going to North Korea, which involved using the peel method related to the blockchain technology Griffith taught on.[21] The peeling process is repeated numerous times and consists of peeling a small amount of stolen cryptocurrency from a whole and transferring it to another address, often connected with an account at a cryptocurrency exchange.[22] This method almost certainly prevents the detection of money laundering activities, representing a convenient tool for malicious actors to hide and launder their illicit proceeds. North Korea’s attempt to gain information on cryptocurrency technology from a foreign source likely indicates that this was not the country’s sole attempt. A variety of individuals associated with cryptocurrency and cyber financial procedures are knowledgeable of how to use them for financial crime, providing North Korea with a potential pool of candidates who may be interested in providing the country with their knowledge. While it is very unlikely that the majority of these individuals will assist North Korea, some of them likely will due to potential financial incentives. As a result, they are likely to provide North Korea with knowledge on money laundering, cryptocurrency theft, and sanctions evasion. It is also likely that such individuals will assist North Korea with insider technological secrets of cyber organizations, financial institutions, and countries, causing a significant security breach. This would likely give North Korea the means to not only know how to conduct attacks but give direction for what kinds of attacks to conduct and what to target, creating global financial vulnerability in businesses and banking institutions.

The British Finance Ministry National Risk Assessment of Proliferation Financing report asserted individuals associated with North Korean diplomacy are likely practicing illicit financing for the purpose of expanding the nation’s weapon capabilities, including potentially through the UK banking system.[23] Besides financially focused cyber operations, cyberattacks carried out by North Korea that have no financial connection are likely to increase if North Korea continues to develop its cyber abilities. This represents a threat as intelligence of other nations, including weapons, technology, and military information, is likely to be compromised by North Korea to support its weapons arsenal through finances and information. Successfully combating North Korea’s illicit financial activity through cyber methods will likely require reasonably predicting what capabilities North Korea has.

The minimal connections with outside countries beyond China likely sustained the idea that North Korea would be unlikely to have connections with criminal groups or rogue individuals. If North Korea continues its efforts in the cyber and financial domains, there is a roughly even chance that they may develop unexpected ties with criminal organizations in the future, including those that are not strictly North Korean like the Lazarus Group. The lack of connection to the internet and lack of technological experience of the majority of North Koreans have likely made it appear to private businesses and financial institutions that North Korea’s cyber capabilities were below that of more experienced countries and individuals. Numerous examples illustrate the growth of North Korea’s cyber schemes against private organizations, such as the ATM theft of $6.1 million USD from BankIslami Pakistan Limited in 2018, thefts from a “Slovenian cryptocurrency company” in 2017, and “an Indonesian cryptocurrency company” in 2018.[24] There is likely a growing realization among the intelligence community that the access of a resource to a country’s general populace does not indicate that the country’s government cannot effectively capitalize on the limited resources it holds. Previous knowledge of North Korea’s cyber and financial abilities must be re-evaluated to better understand the emerging threats that will very likely grow.

The response to North Korea’s malicious cyber activity has been the imposition of financial sanctions. In 2019, the US Treasury Department sanctioned North Korean state-sponsored malicious cyber groups, including the Lazarus Group, Bluenoroff, and Andariel.[25] In 2020, the EU sanctioned North Korean company Chosun Expo on suspicion of having supported the Lazarus Group.[26] The imposition of financial sanctions has not proved to be the most effective tool due to the sanctions evasion tactics used by North Korea.[27] It is likely the isolation from the global economy caused by sanctions incentivized North Korea’s illicit crypto-activities to circumvent sanctions and procure funding. China’s involvement likely strengthens North Korea’s ability to bypass sanctions and impede the detection of sanction breaches and criminal activities. It is likely that North Korea’s ability to conduct sophisticated, large-scale cyber-attacks and outside support impede the detection of actors involved in malicious activities. As a result, individuals, groups, or companies involved have likely continued to operate despite the sanctions.

In October 2021, the US Commerce Department announced a ban on the sales of unlicensed hacking software and equipment to China and Russia, together with other countries of concern, without a license from the Department’s Bureau of Industry and Security (BIS).[28] The ban likely aims to disrupt North Korea’s cyber capabilities by tackling its external supporters, including Chinese individuals who are likely to assist North Korea with its malicious cyber activities. If other countries impose similar bans, the threat of malicious hacking activities is likely to be mitigated. However, it is unlikely this ban will completely disrupt North Korea’s cyber capabilities, as there are likely other suppliers of such technology beyond the US, as well as the black market.

In November 2021, China and Russia proposed a resolution to ease the UN sanctions against North Korea imposed in 2006 over its nuclear and ballistic missile programs.[29] China and Russia would likely benefit from the easing of the sanctions in terms of cross-border trade without fear of repercussions. The easing of the sanctions is very unlikely, particularly after the missile launch in September 2021 which increased global concerns over North Korea’s military capabilities. As a result, potential sanctions and measures against North Korea in the future are likely to be vetoed by Russia and China. Such development is likely to strengthen the partnership between China and North Korea and increase the tensions towards the US and its allies.

The Counterterrorism Group (CTG) recommends cooperation between governments and financial institutions in the detection and disruption of illicit financial activities related to North Korea. Through information sharing and cooperation, foreign companies and individuals involved in North Korea’s illicit cyber activities are likely to be identified. It is recommended to increase efforts in identifying outside supporters of illicit cyber activities conducted on behalf of North Korea and holding them accountable, through individual prosecutions and impositions of sanctions. Prosecutions and sanctions are likely to deter companies or individuals from becoming involved in North Korea’s malicious cyber activities. Strengthening the cyber security of crypto-exchange platforms is also recommended, as the increasing use of cryptocurrencies and weak security very likely incentivized attacks in the first place. By enforcing better regulation of cryptocurrencies and the security of crypto exchange platforms, future attempts of theft are likely to be disrupted. Besides crypto-exchange platforms, all parties should practice increased vigilance and prioritization of cyber security in both the private and public sectors, as malicious cyber activities, including ransomware attacks and theft of intelligence, are likely to continue to pose a threat.

The Counterterrorism Group (CTG) will continue to identify and assess North Korea’s developing trend of combining financial and cyber crimes through its Illicit Finance and Economic Threats (IFET) Team, along with its Counterintelligence and Cyber (CICYBER) Team. The PACOM team will focus on regional developments between North Korea and its neighbors, analyzing how political and military events may shift depending on North Korea’s illicit financing. CTG’s W.A.T.C.H. officers and Threat Hunters will remain alert and provide up-to-date reports on possible threats related to North Korea and the region, and their global implications.

The Counterterrorism Group (CTG) is a subdivision of the global consulting firm Paladin 7. CTG has a developed business acumen that proactively identifies and counteracts the threat of terrorism through intelligence and investigative products. Business development resources can now be accessed via the Counter Threat Center (CTC), emerging Fall 2021. The CTG produces W.A.T.C.H resources using daily threat intelligence, also designed to complement CTG specialty reports which utilize analytical and scenario-based planning. Innovation must accommodate political, financial, and cyber threats to maintain a level of business continuity, regardless of unplanned incidents that may take critical systems offline. To find out more about our products and services visit us at


[2] This is how North Korea uses cutting-edge crypto money laundering to steal millions, MIT Technology Review, March 2020,

[3] Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe, US Department of Justice, February 2021,

[4] This is how North Korea uses cutting-edge crypto money laundering to steal millions, MIT Technology Review, March 2020,

[5] The Incredible Rise of North Korea’s Hacking Army, The New Yorker, April and May 2021,

[6] This is how North Korea uses cutting-edge crypto money laundering to steal millions, MIT Technology Review, 5 Marcy 2020,

[7] United Nations Midterm Report, United Nations Security Council, August 2019,

[8] North Korea says it has test-fired long-range cruise missile, The Guardian, September 2021,

[9] North Korean CyberAttacks: A Dangerous and Evolving Threat, The Heritage Foundation, September 2021,

[10] US charges three North Koreans over $1.3bn theft, BBC, February 2021,

[11] United Nations Midterm Report, United Nations Security Council, August 2019,

[12] The Incredible Rise of North Korea’s Hacking Army, The New Yorker, April and May 2021,

[13] The Lazarus heist: How North Korea almost pulled off a billion-dollar hack, BBC, June 2021,

[14] Senior U.S. official accuses China of aiding North Korea cyber thefts, Reuters, October 2020,

[15] Secret documents show how North Korea launders money through U.S. banks, NBC, September 2020,

[16] Ibid

[17] The Incredible Rise of North Korea’s Hacking Army, The New Yorker, April 2021,

[18] North Korea-China trade hits highest level since start of pandemic, The Financial Times, October 2021,

[19] Crypto Guru Pleads Guilty to Advising North Korea on Blockchain Technology, The Wall Street Journal, September 2021,

[20] Two Chinese Nationals Charged with Laundering Over $100 Million in Cryptocurrency From Exchange Hack, US Department of Justice, March 2020,

[21] This is how North Korea uses cutting-edge crypto money laundering to steal millions, MIT Technology Review, March 2020,

[22] Two Chinese Nationals Charged with Money Laundering Over $100 Million in Cryptocurrency for North Korea, Money Laundering News, March 2020,

[23] NK diplomats engaging in illicit financing activities: British gov’t report, The Korea Herald, September 2021,

[24] Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe, US Department of Justice, February 2021,

[25] Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups, US Department of Treasury, September 2019,

[26] EU sanctions Russian intelligence, North Korean, Chinese firms over alleged cyberattacks, Reuters, July 2020,

[29] China, Russia revive push to lift U.N. sanctions on North Korea, Reuters, November 2021,



bottom of page