It is estimated that one third to a half of North Korea’s budget comes from cyberfraud and extortion. Most of these crimes are aimed at the financial services industry, including banks, crypto exchanges, and payments providers.

Cybercrime is one of the most serious, underdiscussed issues of our age. The money siphoned out of financial systems each year by bad actors is a value twice the size of Germany’s GDP: around $10 trillion. If an economy, it would be the third largest in the world.

North Korea has a turbulent history, and its isolated economy — and several weapons programmes — are propped up by the spoils of cyberattacks. Through years of practice, the rogue state has become exquisitely advanced in digital warfare — funding highly organised rings of hackers to siphon money from large, multi-national companies, high-net worth earners, financial institutions (FIs), governments, and even vulnerable individuals. The scale of damage reaped by North Korea on the UK has become so serious that the ex-director of GCHQ, Jeremy Fleming, has called it a “national security issue”.  

It is the task of agencies like the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the defence select committee to work with systemically integral financial institutions (FIs) and corporations to develop cutting-edge methods of fraud prevention.

An economy addicted to heists

North Korea was born in 1948 in the wake of the Second World War, with the peninsula divided at the 38th parallel between Soviet (North) and US (South) occupation forces. Led by the totalitarian Kim dynasty, which has presided over isolationism, economic stagnation, and widespread famine, North Korea has remained a Russia-sympathetic state in a post-Cold War world.

Existing in a deeply integrated global economy while saddled with heavy sanctions has hobbled North Korea’s prospects on the international stage. For years, its economy has been contracting — labouring under resource shortages, outdated infrastructure, and energy problems. In 2024, however, this picture began to shift and North Korea’s economy grew by around 4%, its fastest in eight years. This was largely driven by improved industrial output and increased trade with Russia and China.

One of North Korea’s long-term, most reliable incomes, however, is delivered by cybercrime — i.e., any illegal activity involving computers, the internet, or network devices. In North Korea’s case, the state sponsors activities like identity theft, phishing scams, and numerous other digital attacks, which siphon money from the financial systems of its adversaries. Most of these activities are carried out by North Korea’s Lazarus Group, operating under the umbrella of the Reconnaissance General Bureau (RGB) — a ring of hackers comprised of unknown members.

Some experts trace the activities of Lazarus Group back to the late noughties, and espionage campaigns like Operation Troy, which utilised crude distributed denial-of-service attack (DDoS) techniques to attack the South Korean government. Though Lazarus campaigns were initially aimed at Seoul, they soon broadened into highly sophisticated manoeuvres that hit numerous Western entities, such as the 2014 Sony Pictures hack.

Today, the operations of Lazarus have transitioned into major, state-sanctioned financial thefts and cyber-espionage, against all kinds of financial systems, cryptocurrencies, businesses, and individuals.

The democratisation of cybercrime

But the cybercrime risk does not just come from North Korea. In fact, the availability of attack tools has meant that bad actors around the world can co-ordinate crippling cyberattacks from the comfort of their bedrooms.

Once upon a time, cybercriminals had to become experts in the field, build their own malware, recruit specialist teams, and devise a campaign. Today, thanks to the availability of cyberattack tools on the dark web, these crimes have been democratised — enabling individuals with little skill to launch sophisticated attacks against systemic IT systems and individuals.   

These capabilities have been dubbed cybercrime-as-a-service (CaaS), enabling bad actors to connect to a criminal gang over the dark web, hand them a brief, and buy their services for a given period. Like its legitimate counterpart, CaaS can be accessed under a subscription model, a revenue-sharing model, or a one-time purchase. On the menu are ransomware and phishing kits, DDoS infrastructures, stolen data marketplaces, malware hosting, botnets, and more. This lowers the barrier to entry for cybercriminals and state-sponsored gangs.

The CaaS ecosystem is not unlike legitimate supply chains. At the top, developers create the malware, the kits, the phishing frameworks and botnets. Then, customers pay trifling amount to use these tools. In ransomware operations, for example, affiliates carry out the attacks and hand the developers (typically) 20-30% of the profits. The spoils are often shared via cryptocurrencies, because they are decentralised and harder for authorities to trace. Connecting all the dots are access brokers, who essentially sell compromised credentials or network access to cybercriminals.

For the most clandestine operations, CaaS is sourced from dark web marketplaces, encrypted messaging platforms, criminal forums, and invitation-only underground communities. In the past, AlphaBay (which was shut down in 2017) and Hydra Market (seized in 2022) were popular sites for sourcing CaaS. Law enforcement agencies, including as Federal Bureau of Investigation and Europol, work around the clock to dismantle such marketplaces in a never-ending game of whack-a-mole.

Some CaaS tools, however, are not sourced from the dark web. Indeed, many are adaptations of publicly available code. This can include modified open-source penetration testing tools or repackaged security frameworks.

The scale of damage

Given this picture, members of Lazarus Group could well be amateur criminals scattered all over the globe. Their targets, in turn, can — and have been — almost anyone.

In 2017, the WannaCry Ransomware Attack hit the UK's National Health Service (NHS), affecting at least 34% of trusts in England and causing over £90 million in damages from lost services and cancelled appointments. The NCSC reported that Lazarus was likely involved in the campaign.

In 2019, the Bank of Valletta in Malta was hit by Lazarus, and the hackers initiated fraudulent transfers of approximately $15 million to accounts in the UK, US, Czech Republic, and Hong Kong. The bank temporarily shut down all operations to contain the breach, and most funds were recovered or frozen.

More recently, in February 2025, Lazarus attacked the cryptocurrency firm Bybit and stole £1.1 billion worth of digital currency. It was the biggest crypto heist in history. The following month, the BBC reported that the hackers had successfully converted at least £232 million into unrecoverable funds. Ben Zhou, the CEO of ByBit, has assured customers that none of their funds have been taken. The firm has since replenished the stolen coins with loans from investors, but is, in Zhou's words, "waging war on Lazarus". ByBit's Lazarus Bounty programme encourages members of the public to trace the stolen funds and get them frozen where possible.

Of all the criminal actors involved in cryptocurrency, North Korea is the best at laundering crypto, according to Doctor Tom Robinson, co-founder of crypto investigators Elliptic: "I imagine they have an entire room of people doing this using automated tools and years of experience. We can see from their activity that they only take a few hours break each day, possibly working in shifts to get the crypto turned into cash."

Shoring up defences

So, what can be done about the national security threat of cybercrime? Naturally, prevention is best. Once cash is stolen, it’s nigh-on impossible to get it back. And, while regulation serves its purpose, it’s moving too slowly, particularly in recognising digital assets as personal property.  

At the top of the chain, large FIs and authorities must work together to monitor the underground forums which provide CaaS; share their threat intelligence; disrupt the criminal infrastructures; seize hot cryptocurrency wallets; and collaborate internationally.

As for the organisations themselves, risks can be mitigated through tough security controls, like multi-factor authentication (MFA), network segmentation, regular patching, and employee cybercrime training. Artificial intelligence (AI) can also support here, serving to spot anomalous activity in payments data at speed.

A great number of lessons can be learned from Ukraine, too, which — having been on the receiving end of a hybrid war for over a decade — has put its technology in the cloud. This has ensured that critical infrastructure is geographically distributed across multiple countries and data centres, making it far harder to eliminate in a single strike. This creates continuity, even if local servers are destroyed; it limits the risk of total data loss; and supports closer collaboration with NATO and the EU.

Building a new age of resilience

Governments and institutions alike must accept that we have reached the belated end of the political 20th century. Hybrid warfare and state-sponsored cyberattacks are the new normal, costing the world over $10 trillion each year.

If the financial services industry is to answer this challenge, it must begin to take seriously cyber defence, and work with authorities to share threat intelligence and build robust digital walls around clients’ assets. Afterall, financial stability is what underpins the integrity and confidence of our system. To choke out cybercrime states like North Korea, Iran, and Russian, we must deny their economies that which keeps them turning.