North Korean operatives now account for nearly half of all serious cyberattacks aimed at American technology companies. A fresh analysis from cybersecurity firm CrowdStrike pins the figure at 47 percent for state-backed intrusions between April 2025 and May 2026. The group behind much of this activity, which CrowdStrike labels Famous Chollima, focuses relentlessly on tech targets. And the money flows straight back to Pyongyang.
TechRadar first highlighted the scale in its reporting on how these operations bankroll weapons development for the isolated regime. The proceeds don’t vanish into luxury goods or personal accounts. They buy components, expertise and raw materials for ballistic missiles, nuclear warheads and submarine technology. Officials in Washington, Seoul and Tokyo have warned about this link for years. Recent government assessments only sharpen the picture.
The Office of the Director of National Intelligence laid out the threat in its March 2026 report on critical infrastructure risks. North Korea’s cyber apparatus, paired with thousands of IT workers operating under false identities, generates hundreds of millions annually. Those funds prop up military programs even as international sanctions bite. The report notes foreign currency revenue from cyber theft and munitions sales to Russia has reached levels not seen since before the heavy sanctions of 2018. Pyongyang’s hackers steal, launder and spend with remarkable agility.
But the story runs deeper than simple theft. North Korean groups blend financial crime with espionage that directly feeds weapons programs. They target defense contractors, aerospace suppliers and semiconductor manufacturers. South Korea’s National Intelligence Service reported in 2024 that hackers breached chip equipment makers in the South. The goal appeared straightforward: secure technology for Pyongyang’s own semiconductor production to bypass sanctions on missile and satellite components. Such moves close capability gaps that years of isolation had widened.
Chainalysis and other blockchain researchers have tracked the cryptocurrency hauls with precision. In 2025 North Korean actors stole an estimated $2 billion in digital assets. One operation alone, the February breach of Dubai-based exchange Bybit, netted roughly $1.5 billion according to multiple analyses including those cited by the Center for Strategic and International Studies. That single heist shattered previous records. The CSIS analysis connects these thefts to broader regime survival tactics under sanctions. Funds get laundered through mixers and offshore accounts before conversion into cash that supports the weapons complex.
The United Nations Panel of Experts estimated that cyber operations generated about $3 billion between 2017 and 2023. Up to 40 percent of North Korea’s ballistic missile and nuclear weapons budget may come from these sources, according to assessments referenced in KEIA’s 2025 year-in-review report. The figure echoes earlier statements from former U.S. officials. Anne Neuberger, then deputy national security advisor for cyber, observed in 2023 that more than half of certain nuclear funding streams traced to illicit online operations. The pattern holds.
Lazarus Group sits at the center of this effort. Also known as APT38, the collective operates under the Reconnaissance General Bureau. Its subgroups carry out everything from ransomware against hospitals to supply-chain compromises that open doors into larger tech networks. The U.S. Justice Department indicted a North Korean hacker named Rim Jong Hyok in 2025 for his role in ransomware campaigns hitting American healthcare providers. Prosecutors alleged the attacks funded further espionage against defense and technology targets in the U.S., Taiwan and South Korea. Stonefly, the subgroup tied to Rim, has shown no sign of slowing down.
Yet financial gain represents only part of the strategy. North Korean hackers also pursue intellectual property that accelerates weapons research. They have hit shipbuilders, universities and firms working on unmanned underwater vehicles. A 2024 ORF analysis mapped the victimology: defense firms, aerospace companies, even modeling and simulation providers. The stolen data fills gaps in Pyongyang’s programs for submarines, missiles and nuclear delivery systems. One operation against Russian defense entities, despite the countries’ warming ties, revealed the opportunistic nature of these campaigns.
IT worker scams add another lucrative and dangerous layer. North Koreans posing as South Korean or Western freelancers secure remote jobs at tech firms worldwide. They use stolen identities and falsified credentials. Once inside, they exfiltrate data, install backdoors or simply earn salaries that the regime confiscates. The U.S. State Department, joined by Japan and South Korea, issued warnings in August 2025 about this scheme. Hundreds of millions in wages flow back to Pyongyang each year. Some workers double as insiders for Lazarus operations. The tactic has compromised Fortune 500 companies and crypto startups alike.
CrowdStrike’s latest findings underscore how dominant these tactics have become inside the tech sector. Famous Chollima alone drove nearly half the state-linked human-operated intrusions. Other DPRK groups tripled activity in late 2025, hitting fintech and software firms across North America and Europe. Pressure Chollima, another actor, stands out for its aggressive cryptocurrency focus. The group launders proceeds that almost certainly support military programs, according to the CrowdStrike report.
Ransomware has grown more prominent too. North Korean actors now partner with operators like Medusa to hit healthcare and critical infrastructure. These campaigns generate revenue while sowing disruption. The FBI and CISA have issued repeated alerts about the dual threat of financial loss and operational shutdowns. Hospitals cancel procedures. Manufacturers lose production time. Each incident reminds defenders that the attacks carry strategic weight beyond dollars stolen.
Pyongyang has refined its approach over time. Early operations mixed political disruption, as in the 2014 Sony Pictures hack, with financial motives. After tightened UN sanctions in 2016 and 2017 the balance tilted heavily toward revenue. Cryptocurrency exchanges became prime targets because they offered speed, scale and relative anonymity. The 2022 Ronin Network breach tied to Axie Infinity drained $620 million. Later attacks on Atomic Wallet, Stake.com and others added hundreds of millions more. Each success funds the next round of missile tests and warhead refinements.
Western governments have responded with sanctions, indictments and technical alerts. They have also increased information sharing with private industry. Yet the attackers adapt faster than defenses solidify. They exploit new tools, including AI for phishing and malware development. Reports from NK News describe North Korean experiments with AI-powered operations that could soon reach military readiness. The regime invests its stolen funds not only in hardware but in human capital. Thousands of hackers train in specialized programs, some receiving additional instruction in China or Russia.
The human cost appears in hospital wards and corporate boardrooms far from the Korean Peninsula. Patients face delayed care when ransomware locks systems. Engineers watch proprietary designs vanish into foreign servers. Executives scramble to explain breaches to shareholders. All the while, the money trail leads back to underground facilities where technicians assemble longer-range missiles and improve reentry vehicles.
Japan, South Korea and the United States continue joint warnings. Their August 2025 advisory highlighted how overseas IT workers conceal nationality to gain employment in East Asia, Europe and North America. The wages fund illegal nuclear and ballistic missile work in violation of UN resolutions. The message has grown urgent as theft totals climb. In 2025 alone the cyber revenue helped push North Korea’s foreign currency earnings to multi-year highs despite sanctions.
Analysts caution against viewing these operations as mere criminality. They form a core element of national strategy. Cyber serves as an asymmetric equalizer. It delivers resources without the risks of conventional arms sales or overt proliferation. The same infrastructure that steals crypto can exfiltrate secrets about American hypersonic weapons or South Korean submarine designs. The convergence of crime and espionage makes the threat particularly stubborn.
Private sector defenders face hard choices. Many tech companies now scrutinize remote workers more closely, demand stricter identity verification and segment internal networks aggressively. Some have curtailed cryptocurrency holdings or improved wallet security. Others partner with blockchain analytics firms to track stolen funds in real time. Progress occurs, but the attackers evolve in parallel.
No easy fix exists. Sanctions have not curtailed the programs they target. Instead they appear to have accelerated Pyongyang’s turn toward cyber revenue. Diplomatic pressure yields limited results when the regime calculates that stolen funds outweigh the costs of detection. And detection remains imperfect. Many intrusions go unreported or unattributed for months.
The numbers tell a sobering story. Billions stolen. Thousands of trained operators. Direct links to nuclear and missile advancement. North Korea has built a self-reinforcing machine: hack the tech industry, fund the weapons programs, test new systems that intimidate neighbors and extract further concessions. Breaking that cycle will demand sustained cooperation among governments, technology providers and financial institutions. The alternative is a future in which each major cyber incident quietly subsidizes the next provocation from the hermit kingdom.
Recent reporting from Technology.org captured the CrowdStrike data in stark terms. North Korean hackers sit behind nearly half of the human-driven breaches hitting U.S. tech firms. The piece appeared just hours ago and aligns with the broader trend of escalating financial and technical theft. Similar warnings echo across assessments from CSIS, KEIA and the ODNI. The pattern shows no sign of reversal.


WebProNews is an iEntry Publication