{ "id": "edcb6632-6a9f-4cc1-8dab-7e07bbbdfd0c", "created_at": "2026-04-06T00:19:01.32313Z", "updated_at": "2026-04-10T03:38:19.065176Z", "deleted_at": null, "sha1_hash": "3b83581c5a986f48e187a4102bbd2305d04e2673", "title": "The Incredible Rise of North Korea’s Hacking Army", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6125932, "plain_text": "The Incredible Rise of North Korea’s Hacking Army\r\nBy Ed Caesar\r\nPublished: 2021-04-16 · Archived: 2026-04-05 21:11:47 UTC\r\nThe country’s cyber forces have raked in billions of dollars for the regime by pulling off schemes ranging from\r\nA.T.M. heists to cryptocurrency thefts. Can they be stopped?\r\nApril 19, 2021\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 1 of 20\n\nNorth Korea, whose government is the only one on earth known to conduct nakedly criminal hacking for\r\nmonetary gain, has run schemes in some hundred and fifty nations.Illustration by Anuj Shrestha\r\nShimomura was a member of the Yamaguchi-gumi, the largest yakuza crime family in Japan. When one of his\r\nsuperiors asked him if he wanted to make a pile of fast money, he naturally said yes. It was May 14, 2016, and\r\nShimomura was living in the city of Nagoya. Thirty-two years old and skinny, with expressive eyes, he took pride\r\nin his appearance, often wearing a suit and mirror-shined loafers. But he was a minor figure in the organization: a\r\ncollector of debts, a performer of odd jobs.\r\nThe superior assured him that the scheme was low risk, and instructed him to attend a meeting that evening at a\r\nbar in Nagoya. (Shimomura, who has since left the Yamaguchi-gumi, asked to be referred to only by his surname.)\r\nWhen Shimomura showed up, he found three other gangsters, none of whom he knew. Like many yakuza, he is of\r\nKorean descent, and two of the others were also Korean-Japanese; for a while, they spoke in Korean. The superior\r\nfinally arrived, and the five men moved into a private room. Each volunteer was given a plain white credit card.\r\nThere was no chip on the card, no numbers, no name—just a magnetic strip.\r\nThe superior read instructions from a thin manual: early the next morning, a Sunday, they should go to any 7-\r\nEleven and use their white card at the store’s A.T.M. They could not use a regular bank A.T.M., or one in another\r\nconvenience store. The gangsters should each withdraw a hundred thousand yen at a time (about nine hundred\r\ndollars) but make no more than nineteen transactions per machine. If anybody made twenty withdrawals from a\r\nsingle A.T.M., his card would be blocked. Withdrawals could start at 5 a.m. and continue until 8 a.m. The\r\nvolunteers were told to choose the Japanese language when prompted—an indication, Shimomura realized, that\r\nthe cards were foreign. After making nineteen withdrawals, they should wait an hour before visiting another 7-\r\nEleven. They could keep ten per cent of the cash. The rest would go to the bosses. Finally, each volunteer was told\r\nto memorize a PIN.\r\nOn Sunday morning, Shimomura rose early, and dressed in jeans, sunglasses, a baseball cap, and an old T-shirt. He\r\nwalked to a 7-Eleven, where he bought a rice ball and a Coke, to settle himself. He inserted the card into the\r\nA.T.M. When the screen asked him which language he preferred, he felt a tremor of nerves while selecting\r\n“Japanese.” He withdrew a hundred thousand yen, then another, and then another. There was nobody else in the\r\nstore apart from the guy at the register, who didn’t seem interested in him.\r\nAfter making the first withdrawal, Shimomura printed a receipt. He saw a foreign name on the paper—he couldn’t\r\ntell what nationality the name was, but he knew it wasn’t Japanese—then stuffed the receipt in his pocket. Around\r\n8 a.m., having completed a total of thirty-eight withdrawals at several A.T.M.s in the area, he headed home,\r\nwaddling because of his bulging pockets: 3.8 million yen is a lot of cash. Shimomura took his ten per cent—about\r\nthirty-five hundred dollars—and stashed it in a drawer in his apartment. At 3 p.m., he met his superior to deliver\r\nthe remaining money. (Later, he discovered that one of the other gangsters had absconded with the money and the\r\ncard.)\r\nThe superior told Shimomura that he would retain five per cent of what his volunteers brought in and send the rest\r\nof the cash to his bosses. When Shimomura handed over his money, he sensed that the superior had enlisted many\r\nothers. He was right. As the newspapers soon reported, more than sixteen million dollars was withdrawn from\r\nroughly seventeen hundred 7-Eleven A.T.M.s across Japan that morning, using data stolen from South Africa’s\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 2 of 20\n\nStandard Bank. The newspapers surmised that 7-Elevens had been targeted because they were the only\r\nconvenience stores in Japan whose cash terminals all accepted foreign cards. Soon after the raids, the withdrawal\r\nlimit for many A.T.M.s in the country was reduced to fifty thousand yen.\r\nShimomura deduced that he had been at the bottom of the food chain in the scam. The real money-makers were\r\nmuch higher up. What he did not know, until an interview with this magazine last year, was the identity of the\r\nvillains at the top of the chain. Shortly after the A.T.M. thefts, according to Japanese police, the ringleader of the\r\n7-Eleven operation crossed from China into North Korea. Shimomura had unwittingly been collecting money for\r\nthe Korean People’s Army, as part of a racket that became known as FASTCash.\r\nIn satellite images of East Asia at night, lights blare almost everywhere, except in one inky patch between the\r\nYellow Sea and the Sea of Japan, and between the thirty-eighth and the forty-third parallels: North Korea. Only\r\nPyongyang, the capital, emits a recognizably modern glow. The dark country is one of the last nominally\r\nCommunist nations in the world—a Stalinist personality cult centered on Kim Jong Un, the peevish, ruthless scion\r\nof the dynasty that has ruled North Korea since 1948, after the peninsula was divided. The D.P.R.K. purports to be\r\na socialist autarky founded on the principle of juche, or self-reliance. Its borders are closed and its people\r\nsequestered. Foreigners find it profoundly difficult to understand what is happening inside North Korea, but it is\r\neven harder for ordinary North Korean citizens to learn about the outside world. A tiny fraction of one per cent of\r\nNorth Koreans has access to the Internet.\r\nYet, paradoxically, the North Korean government has produced some of the world’s most proficient hackers. At\r\nfirst glance, the situation is perverse, even comical—like Jamaica winning an Olympic gold in bobsledding—but\r\nthe cyber threat from North Korea is real and growing. Like many countries, including the United States, North\r\nKorea has equipped its military with offensive and intelligence-gathering cyber weapons. In 2016, for instance,\r\nmilitary coders from Pyongyang stole more than two hundred gigabytes of South Korean Army data, which\r\nincluded documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s\r\nnorthern neighbor might proceed, and, notably, a plot to “decapitate” North Korea by assassinating Kim Jong Un.\r\nThe breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification,\r\na think tank in Seoul, told the Financial Times, “Part of my mind hopes the South Korean military intentionally\r\nleaked the classified documents to the North with the intention of having a second strategy.”\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 3 of 20\n\n“We’ve got ways of making you stop talking.”\r\nCartoon by Benjamin Schwartz\r\nNorth Korea, moreover, is the only nation in the world whose government is known to conduct nakedly criminal\r\nhacking for monetary gain. Units of its military-intelligence division, the Reconnaissance General Bureau, are\r\ntrained specifically for this purpose. In 2013, Kim Jong Un described the men who worked in the “brave R.G.B.”\r\nas his “warriors . . . for the construction of a strong and prosperous nation.”\r\nNorth Korea’s cybercrime program is hydra-headed, with tactics ranging from bank heists to the deployment of\r\nransomware and the theft of cryptocurrency from online exchanges. It is difficult to quantify how successful\r\nPyongyang’s hackers have been. Unlike terrorist groups, North Korea’s cybercriminals do not claim responsibility\r\nwhen they strike, and the government issues reflexive denials. As a result, even seasoned observers sometimes\r\ndisagree when attributing individual attacks to North Korea. Nevertheless, in 2019, a United Nations panel of\r\nexperts on sanctions against North Korea issued a report estimating that the country had raised two billion dollars\r\nthrough cybercrime. Since the report was written, there has been bountiful evidence to indicate that the pace and\r\nthe ingenuity of North Korea’s online threat have accelerated.\r\nAccording to the U.N., many of the funds stolen by North Korean hackers are spent on the Korean People’s\r\nArmy’s weapons program, including its development of nuclear missiles. The cybercrime spree has also been a\r\ncheap and effective way of circumventing the harsh sanctions that have long been imposed on the country. In\r\nFebruary, John C. Demers, the Assistant Attorney General for the National Security Division of the Justice\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 4 of 20\n\nDepartment, declared that North Korea, “using keyboards rather than guns,” had become a “criminal syndicate\r\nwith a flag.”\r\nNorth Korea’s leaders have been attuned to the nefarious opportunities of a connected world since at least the\r\nearly nineteen-nineties. A 2019 paper on the regime, written by scholars at Korea University, in Seoul, notes that\r\nKim Jong Il, having watched the United States’ military engagement in the two Gulf conflicts, concluded that\r\n“modern war is decided by one’s conduct of electronic warfare.” (Among other tactics, American planes jammed\r\nIraqi radar systems.) In 2005, a Korean People’s Army book quoted Kim as saying, “If the Internet is like a gun,\r\ncyberattacks are like atomic bombs.” His son Kim Jong Un came to power in 2012 and saw the commercial\r\npotential of the technology, noting that his army could “penetrate any sanctions.” Cyber prowess, he soon\r\ndeclared, was an “all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking\r\ncapability, along with nuclear weapons and missiles.” Yet the West didn’t really wake up to the danger posed by\r\nNorth Korea’s cyber forces until after the country executed three spectacular crimes, between 2014 and 2017.\r\nThe first was a hack of Sony Pictures. In June, 2014, Sony released a trailer for “The Interview,” a Seth Rogen and\r\nJames Franco comedy about hapless journalists recruited by the C.I.A. to assassinate Kim Jong Un. A\r\nspokesperson for the regime called the film a “wanton act of terror” and promised a “merciless response” if the\r\nstudio proceeded with releasing the film. Sony pressed ahead. (Rogen joked on Twitter, “People don’t usually\r\nwanna kill me for one of my movies until after they’ve paid 12 bucks for it.”)\r\nThat November, Sony employees reported that their computers had been hacked, by a group calling itself\r\nGuardians of Peace. After many of the company’s computers froze, Sony shut down the rest, stanching the bleed\r\nof data that was under way. For a few days, Sony Pictures operated without an electronic network, and in\r\nsubsequent weeks the hackers leaked embarrassing—and, in some cases, damaging—e-mails, salaries, medical\r\nrecords, movies, and screenplays belonging to the company and its employees. Five upcoming Sony films were\r\nput online, as was the script of the next James Bond movie, “Spectre.” One of the studio heads, Amy Pascal,\r\nresigned after the hackers posted e-mails in which she joked with the producer Scott Rudin that at a meeting with\r\nPresident Barack Obama she’d be smart to bring up movies about slavery.\r\nThe F.B.I. soon attributed the attack to North Korean state actors. Pyongyang denied involvement but declared the\r\nhack a “righteous deed.” Obama promised to “respond proportionally” to what he called an act of “cyber\r\nvandalism.” Michael McCaul, who chaired the House Homeland Security Committee, later told reporters that the\r\nU.S. had launched a number of “cyber responses” to the Sony hack, not least a ten-hour Internet outage in North\r\nKorea in December, 2014.\r\nIf the attack on Sony had a cartoonish quality, the second major North Korean attack was like a caper. Around the\r\ntime that the hackers were breaking into Sony’s network, members of the same gang—which became known as\r\nthe Lazarus Group—began scoping out banks in Dhaka, Bangladesh. Accounts linked to the Lazarus Group sent\r\ne-mails to an array of targets at Bangladesh Bank and other financial institutions in Dhaka. The messages\r\ncontained a link to malware that, if clicked, granted the North Koreans access to internal computer systems. In the\r\nfirst two months of 2015, at least three Bangladesh Bank employees were lured by these “spear-phishing” e-mails\r\ninto downloading the infected attachment. By that March, the hackers had established a “backdoor” within the\r\nbank’s electronic communication system, allowing them to send messages to one another in a way that mimicked\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 5 of 20\n\nthe bank’s encrypted-communication protocols, and did not alert security to their presence. The hidden hackers\r\nthen spent ten months learning about Bangladesh Bank’s operations from the inside.\r\nLike many national banks in developing countries, Bangladesh Bank holds a foreign-currency account with the\r\nFederal Reserve bank in New York. On February 4, 2016, the Federal Reserve received instructions from\r\nBangladesh Bank to make dozens of payments, totalling nearly a billion dollars, to various accounts, including\r\none in Sri Lanka and four in the Philippines. The requests were made via the swift network—a global conduit for\r\nmoney transfers, based near Brussels. In fact, the Lazarus hackers had sent the requests, using stolen usernames\r\nand passwords that they had collected while roaming around Bangladesh Bank’s network. In their fraudulent\r\nmessages to the Federal Reserve, the Lazarus members had incorporated many details from genuine, previously\r\nexecuted SWIFT transfers, so that it would not be obvious their own requests were bogus. To further cover their\r\ntracks, the hackers had installed a network update that blocked SWIFT messages from being read at Bangladesh\r\nBank—a piece of legerdemain that later impressed security experts. It was the equivalent of breaking into a bank’s\r\nvault after disabling its surveillance cameras.\r\nPriscilla Moriuchi, a fellow at Harvard’s Belfer Center for Science and International Affairs who focusses on the\r\nNorth Korean cyber threat, worked at the National Security Agency for twelve years. She told me that the\r\nBangladesh operation was “flashy.” But the robbers not only showed technical finesse, she said; their patient work\r\nin the Dhaka heist “signalled a larger tactical and operational maturity.”\r\nThe Federal Reserve granted the first five payment requests, a total of a hundred and one million dollars. The next\r\nthirty payments, which amounted to eight hundred and fifty million dollars, stalled only because of a stroke of\r\nluck. An automated alert system was activated after detecting, in the text of a transfer request, the word “Jupiter,”\r\nwhich happened to be in the address of a Philippines bank branch. This alert was tripped because an unrelated\r\nbusiness, Jupiter Seaways Shipping, in Athens, was on a sanctions-evasion watch list for its activities relating to\r\nIran.\r\nAfter this and another small irregularity were detected, freeze requests were placed on the recipient accounts. But\r\n—as the hackers had anticipated—because the heist was carried out on a holiday weekend in the Philippines the\r\nfreeze requests weren’t processed for another forty-eight hours. By that time, some eighty-one million dollars had\r\nbeen transferred into a different account. Most of this money was then withdrawn, converted into cash as\r\nPhilippine pesos, and exchanged for casino chips. At the time, gambling establishments in the Philippines were\r\nexempt from anti-money-laundering regulations. It wasn’t a billion dollars, but it was a huge haul.\r\nBy the time of North Korea’s third major attack, nobody found the regime’s cyber threat funny anymore. A 2017\r\nransomware scheme known as Wannacry 2.0 crippled networks in America, Europe, and Asia—including the\r\ncomputer systems of Boeing, Britain’s National Health Service, and Germany’s federal railway. The hackers\r\nencrypted computer after computer, then demanded payment, in bitcoin, to unfreeze the systems. North Koreans\r\ntailored some ransomware code and then propagated it from one device to the next by appropriating a dangerous\r\npiece of American code, known as EternalBlue, that a criminal group calling itself the Shadow Brokers had stolen\r\nfrom the N.S.A. and then posted online.\r\nA twenty-two-year-old hacker and malware expert from England named Marcus Hutchins, who worked out of a\r\nbedroom in his parents’ house, analyzed the Wannacry code and figured out how to direct much of the traffic that\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 6 of 20\n\nit was generating into a “sinkhole”—a Web address where the malware would do no harm. After Hutchins realized\r\nthat he had upended the hack, Wired reported, he went upstairs to tell his family. His mother, a nurse, was\r\nchopping onions. “Well done, sweetheart,” she said, before returning to her cooking.\r\nThe North Korean regime has long been considered a fundamentally criminal enterprise. Joseph Bermudez, Jr., a\r\nsenior fellow at the Center for Strategic and International Studies, told me that the country’s survival has always\r\nbeen underpinned by a mafia-like “patronage system.” He explained that, even before the Korean War, smugglers\r\nand warlords had thrived in the region. Since the birth of the D.P.R.K., crime has been used to garner not only\r\ncash for the regime but also political and social capital. The Kims, Bermudez said, have fostered a “desire to\r\nproduce revenue to secure pleasure with the leader.”\r\nUntil recently, North Korea’s most lucrative state-sponsored criminal operations included the smuggling of\r\ncigarettes, the creation of counterfeit money, the trading of endangered species, and the manufacture and\r\ndistribution of laboratory-made illegal drugs such as methamphetamine. In the seventies, North Korean diplomats\r\nwho were posted abroad often trafficked narcotics. In the eighties, North Korean counterfeiters created a\r\nremarkably plausible hundred-dollar “supernote.” (In 2006, the Secret Service estimated that it had removed fifty\r\nmillion dollars’ worth of fake notes from circulation; seven years later, the U.S. Treasury redesigned its hundred-dollar bill with extra security features.) Many traditional criminal revenue streams continue to flow back to\r\nPyongyang, but in the past decade the state’s focus has pivoted to the Internet.\r\n“You’re just lucky you don’t have your whole life looming in front of you.”\r\nCartoon by Barbara Smaller\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 7 of 20\n\nThe range and creativity of North Korea’s digital crime spree caught many off guard. It wasn’t just that\r\nPyongyang’s cyber warriors could compromise computer networks around the world; they showed real innovation\r\nin exploiting new technologies. Luke Dembosky, an attorney who advises companies on Internet-security issues,\r\nfirst confronted North Korea’s cyber threat at the time of the Sony hack, when he was the Deputy Assistant\r\nAttorney General in the Justice Department’s National Security Division. Then he witnessed the Bangladesh heist\r\n—a striking leap in sophistication. “It was stunning for someone like me, despite years in this business, to see a\r\nrelatively isolated nation-state actor not simply copying someone else’s methodology or scheme but actually\r\nbreaking new ground,” he said.\r\nPriscilla Moriuchi, the Harvard analyst, told me that, in retrospect, the D.P.R.K.’s turn to cybercrime had been an\r\norganic development. “North Koreans understand criminality,” she said. “They’re integrated in many, many places\r\nwith this criminal and gray underground world. And so it’s natural to overlay this new technology, the Internet. It\r\nconnects criminal organizations and smugglers with one another.”\r\nWe discussed the Japanese A.T.M. scam of 2016. Shimomura may not have known his ultimate boss, but the\r\nyakuza had been smuggling illegal products out of North Korea for decades. Around the turn of the millennium,\r\nNorth Korea supplied about forty per cent of Japan’s methamphetamines. So, if cyber scammers in Pyongyang\r\nneeded boots on the ground to withdraw cash in Nagoya, they could make a request, and it would soon be\r\nanswered.\r\nMoriuchi also noted that, although the North Korean hackers were technically accomplished, their more important\r\nattribute was a felonious savoir-faire. In the Bangladesh Bank case, the robbers waited seventeen months after\r\ntheir first reconnaissance in Dhaka before they pulled off the heist. They had determined the ideal weekend and\r\nholiday to strike; they had planned how to move cash quickly out of recipient banks; and they had chosen\r\ninstitutions that had particularly lax know-your-customer protocols. Once they executed the theft, they used local\r\ncontractors in the Philippines to launder their pesos, effectively hiding the money trail. Their success was\r\npredicated on knowing not only how computers work but how people do. “They’re smart,” Moriuchi told me. “It’s\r\nthis connection of the virtual world and the physical that’s so impressive.”\r\nIn most countries, hackers develop their skills by experimenting on computers at home when they are teen-agers.\r\nMarcus Hutchins, who dismantled Wannacry, was one such high-school recluse. But North Korea’s talent in the\r\ncybercrime field is grown in a hothouse. Few families own computers, and the state jealously guards Internet\r\naccess.\r\nThe process by which North Korean hackers are spotted and trained appears to be similar to the way Olympians\r\nwere once cultivated in the former Soviet bloc. Martyn Williams, a fellow at the Stimson Center think tank who\r\nstudies North Korea, explained that, whereas conventional warfare requires the expensive and onerous\r\ndevelopment of weaponry, a hacking program needs only intelligent people. And North Korea, despite lacking\r\nmany other resources, “is not short of human capital.”\r\nThe most promising students are encouraged to use computers at schools. Those who excel at mathematics are\r\nplaced at specialized high schools. The best students can travel abroad, to compete in such events as the\r\nInternational Mathematical Olympiad. Many winners of the Fields Medal, the celebrated prize in mathematics,\r\nplaced highly in the contest when they were teen-agers.\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 8 of 20\n\nStudents from North Korea often perform impressively at the I.M.O. (It is also the only country to have been\r\ndisqualified for suspected cheating: the D.P.R.K. team was ejected twice from the competition, in 1991 and in\r\n2010.) At the 2019 I.M.O., held in Bath, England, Kuk Song Hyon scored perfectly on the first five of six\r\nchallenges, and was tied for first place with students from China, South Korea, Poland, and the U.S. until the final\r\nproblem, when he received a low score.\r\nTwo colleges in Pyongyang, Kim Chaek University of Technology and Kim Il Sung University, vacuum up the\r\nmost talented teen-agers from the specialized math and computer high schools and then teach them advanced\r\ncode. These institutions often outperform American and Chinese colleges in the International Collegiate\r\nProgramming Contest—a festival of unsurpassed and joyful nerdery. At the 2019 I.C.P.C. finals, held in Porto,\r\nPortugal, Kim Chaek University placed eighth, ahead of Oxford, Cambridge, Harvard, and Stanford.\r\nCostin-Andrei Oncescu, who represented the University of Oxford at the 2019 I.C.P.C., and who began\r\nprogramming competitively in his native Romania at the age of ten, told me that the I.C.P.C. was not only fun and\r\nsociable but also a recruiting ground for big technology companies. Huawei sponsored the 2019 finals.\r\nContestants, Oncescu said, have gone on to do impressive coding work. He mentioned Nikolai Durov, a member\r\nof the championship-winning St. Petersburg State University teams of 2000 and 2001, who subsequently co-founded the Russian social-media apps VK and Telegram.\r\nOncescu added that the North Koreans had stayed in the same hotel as the other contestants in Porto. But he\r\nhadn’t seen them socialize with students from other countries. He said that, although the competitions tested\r\ncoding fluency, the true test was of a more general problem-solving capability. It often came down to pure math.\r\nTo thrive, every team needed at least one “very math-oriented” person, Oncescu said. Students working in teams\r\nof three were asked to create code that provided a solution to an abstract puzzle, but only one team member at a\r\ntime wrote the code.\r\nThe coding challenges at the 2019 I.C.P.C. were fiendishly difficult. An example: “Your university’s board game\r\nclub just hosted a checkers tournament, and you were assigned to take notes on the games. Unfortunately, while\r\nwalking home, you dropped all of your papers into a puddle! Disaster! Much of what you wrote is now\r\nunreadable; all you have left are some lists of moves played in the middle of various games. Is there some way\r\nyou can reconstruct what happened in those games?” The code that the students built needed to solve this problem\r\nin no more than a second. Oncescu said that, to win the competition, you had to work fast, collaboratively, and\r\ncreatively. “The hardest part isn’t the coding,” he told me. “It’s the thinking.”\r\nHe added that there was a lot of overlap between contestants at these kinds of competitions and the “next\r\ngeneration” of top programmers and researchers. He could also imagine how such competitions might develop the\r\nskills of a criminal hacker, because “once you’ve found something weird about the way a system works, then it\r\ndoes become a mathematical problem in trying to take advantage of that.” The coding and the analytical skills on\r\ndisplay at such events were like the Force in the “Star Wars” movies: it could be used for the light side, or for the\r\ndark.\r\nAccording to many estimates, about seven thousand North Koreans work in the country’s cyber program.\r\nEmployees are split between the General Staff Department of the military, which assists the Army’s operations,\r\nand the Reconnaissance General Bureau, which is akin to the Office of the Director of National Intelligence in the\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 9 of 20\n\nU.S. The 2019 Korea University paper featured an analysis of how hackers were divided within these silos. The\r\nGeneral Staff Department has among its subgroups the chillingly named Enemy Collapse Sabotage Bureau, which\r\nis responsible for “information and psychological warfare.”\r\nMost of the criminal work is performed by the Reconnaissance General Bureau. According to the Korea\r\nUniversity researchers, a section of the R.G.B. known as Unit 180 is responsible for “conducting cyber operations\r\nto steal foreign money from outside North Korea.” The Lazarus Group is the best-known unit of North Korean\r\ncommercial hackers, but this entity may include—or have been partially replaced by—other groups, which are\r\nknown to Western law-enforcement and intelligence agencies by such names as the BeagleBoyz, Hidden Cobra,\r\nand APT38. (“APT” stands for “advanced persistent threat.”) Nobody seems to have a firm grasp on how many\r\npeople work for each group or which group makes the most money.\r\nAnother tantalizing question is where, geographically, North Korea’s hackers do their work. Moriuchi, the\r\nHarvard fellow, has spent years tracking the metadata of North Korean Internet users. Between 2017 and 2020,\r\nshe looked at North Korea’s tiny online footprint. At any moment, as few as a couple of hundred I.P. addresses in\r\nthe country might be in use. From this and other clues, she concluded that most of the country’s coders were\r\nworking outside North Korea, in China and parts of Southeast Asia. Certainly, Moriuchi said, most of North\r\nKorea’s new I.T. graduates appeared to spend a period of time abroad in such countries, where they learned\r\nvaluable “real world” skills. These foreign units were, in essence, both profit generators and training grounds.\r\n“He’s older and fatter, but that’s definitely the same guy in the painting.”\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 10 of 20\n\nCartoon by Frank Cotham\r\nRecently, an American analyst showed me the digital footprint of a cell that, he ascertained, consisted of North\r\nKoreans working in the border town of Dandong, China. The unit’s work was seemingly anodyne—there was no\r\nevidence that it engaged in malicious hacking. Communicating through the e-mail address\r\nbravemaster619@hotmail.com, the group solicited for freelance gigs on coder sites, in almost flawless English.\r\nBravemaster619’s profile on GitHub reads, “Wanna have your own website? Wanna add some features or\r\ncustomize the design of your existing system? Wanna improve your site to the next level? Hold my seasoned\r\ndevelopment skills!” The North Korean workers in Dandong did not advertise their nationality—presumably\r\nbecause of the sanction provisions—and appeared to charge competitive rates.\r\nLast year, I spoke to Lee Hyun Seung, a thirty-five-year-old who defected from North Korea in 2014 and now\r\nlives in the United States. He had worked in a trading business owned by the D.P.R.K. government, and in that\r\ncapacity he had lived for a time in Dalian, China. He said that he had no special knowledge of the hacking\r\nprogram, but that when he worked in Dalian he knew there were three teams of North Korean “I.T. workers”\r\nbased in the city. Lee told me that he once visited a so-called hacker dorm in Dalian. The men there lived four to a\r\nroom—sometimes six. The ten or so men who worked in one such unit told Lee that they spent most of their time\r\nmaking “big money” by designing mobile-phone video games for the Japanese, South Korean, and Chinese\r\nmarkets. A Chinese intermediary sold their products. Lee suggested that, though this coding work was mundane,\r\nthe North Koreans he met rarely wanted to be promoted—because a promotion would mean returning to\r\nPyongyang.\r\nThis anecdotal evidence was buttressed by another defector, who runs a South Korea-based clandestine radio\r\nnetwork whose broadcast signal penetrated North Korea. He told me that he was familiar with the D.P.R.K.’s\r\ncyber program, and, as he understood it, the work performed by North Korean I.T. workers outside the country\r\ntended to be “low level.” The stars of the program either were kept in Pyongyang or were returned there to do\r\ntheir most important government work—a tactic that prevented hackers engaged in high-priority operations from\r\nbeing caught while abroad. The defector told me that the best hackers in Pyongyang, who were involved in\r\nschemes that collected millions of dollars’ worth of foreign currency, were rewarded with cars or comfortable\r\nhouses, or with other material benefits known as Kim Jong Un’s Special Gifts, which were impossible for ordinary\r\ncitizens to obtain. This information, the defector said, came from a friend in North Korea whom he could\r\n“absolutely trust,” but who could not speak with me without risking his life.\r\nAn American investigator of sanction breaches, who works at a prominent N.G.O. but was not authorized to talk\r\non the record, was similarly convinced that the élite cadre of North Korean hackers was based in Pyongyang.\r\nMost likely, these operatives used foreign V.P.N.s—virtual private networks—to access the Internet from outside\r\nthe country, thus masking their location.\r\nJohn Demers, of the Justice Department, suspects that the Chinese state assists with North Korean cybercrime,\r\nbecause it “does not want North Korea to fail.” The American investigator of sanction breaches noted that “North\r\nKorea is connected to the world through essentially Russian and Chinese infrastructure,” adding, “There are\r\nstrong indications that Russia and China are well aware of what’s going on and actively have facilitated some of\r\nit.” A certain amount of legal and illegal trade continues across North Korea’s borders with Russia and China, both\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 11 of 20\n\nof which have historically been allies. According to the U.S. Cybersecurity and Infrastructure Security Agency, no\r\nfinancial institution in Russia or China has been targeted by North Korean hackers.\r\nThe most common target of North Korea’s cyber army is its sworn enemy, South Korea, which has suffered many\r\nhundreds of major attacks. Recently, I spoke to Simon Choi, a security-intelligence analyst who lives in Seoul. In\r\n2008, while performing mandatory military service, he learned about North Korea waging a cyberattack on the\r\nSouth Korean Army—an unsuccessful attempt by the Reconnaissance General Bureau to deploy malware in order\r\nto steal highly classified weapons secrets. Choi became fascinated with the threat posed by North Korean hackers.\r\n“I realized the cyber war was real,” he said.\r\nAfter completing his military service, Choi took a job in online security. He also began to organize a team of\r\nvolunteers in South Korea, called the IssueMakers Lab, which pores over malware attributed to the North\r\nKoreans, in order to understand it better. The group now numbers ten people, and includes men and women.\r\nAlthough the members are amateurs, not spies, their assessments are considered to be rigorous and acute. In his\r\nday job, Choi trawls the dark Web, investigating drug deals and other crimes on behalf of law-enforcement\r\nagencies; after hours, he thinks about hackers in Pyongyang.\r\nChoi told me that about eleven hundred North Koreans have written malicious scripts. He showed me some\r\nmalware code, written in 2016, that had been designed to cover the tracks of a North Korean bank heist. The\r\nmalware consisted of rows of seemingly random letters and numbers flowing down a page, in pairs. In the margins\r\nwere some recognizable English-language words—“Windows,” “everyone”—connected by cryptic punctuation.\r\nChoi could fluently and sensitively parse all this. Chinese and American coders were the best in the world, he said,\r\nbut Russians and North Koreans were tied for second. Of all the malware that Choi had examined, he reserved his\r\ngreatest admiration for the Stuxnet worm, which had been used in a successful joint Israeli-American attack on\r\nIran’s nuclear centrifuges, in 2010. He spoke about the Stuxnet code in the way that an art historian might discuss\r\n“The Night Watch”: it was “elegant,” “precise,” “sophisticated.” Choi told me that North Korean code was\r\n“masculine” in its brute concision: “Very simple, very practical, and they always go straight for their aim and\r\ngoal.” He added, “The key to their success is their relentlessness—they just attack, endlessly.”\r\nSometimes, he explained, coders embedded signatures or initials into their scripts. It was a form of tagging, or\r\nmaybe even bragging. He had occasionally noticed the initials of former International Math Olympiad competitors\r\nin malware that he examined. Once, when examining code related to a 2013 spear-phishing attempt on I.C.I.C.I.,\r\nan Indian bank, Choi noticed a tag, kut_rsc1994, belonging to a coder who had studied at Kim Chaek University.\r\n(“KUT” is an established tag for the school.) On further inspection, Choi came to believe that the coder was Ryu\r\nSong Chol, who had won a silver medal for North Korea at the I.M.O., in Amsterdam, in 2011. Later, Ryu posted\r\nthis tag on a hacking Web site, seemingly confirming the link.\r\nChoi was circumspect about attributing coding tags to real-life people: who could know for sure which person was\r\nbehind which persona? The North Koreans could well have swapped identities. He felt confident, though, that he\r\nhad never examined code written by a North Korean woman. I laughed when he told me this. How could he\r\npossibly know? “These are all guys,” he repeated. North Korea, he said, remained a traditional, male-dominated\r\nsociety, and it was extremely unlikely that the Reconnaissance General Bureau would train women for such work.\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 12 of 20\n\nThe IssueMakers often gave nicknames to the most accomplished North Korean hackers, although Choi wouldn’t\r\ntell me the names of anybody currently working for Pyongyang. I wondered whether he had ever felt as if he\r\nunderstood these coders as people. “I think we have a mutual awareness,” he told me. “They must see what we\r\nanalyze as well, because we publish it. That’s my feeling—that we are both aware of each other.”\r\nThe Internet, to abuse John Donne, makes one little room an everywhere. North Korea’s hackers have conducted\r\noperations in more than a hundred and fifty countries. In November, 2018, a programmer in Santiago, Chile, was\r\nrecruited for a high-level position at a foreign firm. The programmer, who worked at Redbanc, a network that\r\nconnects all the A.T.M.s in Chile, was invited via LinkedIn to apply for a position developing software at Global\r\nProcessing Centre, a third-party-payment processor in St. John’s, Antigua. The position was lucrative and part\r\ntime: the programmer could supplement his income without impinging on his work for Redbanc.\r\nGlobal Processing Centre’s job offer came from someone purporting to be Justin Stuart-Young, the company’s\r\nchief information officer. The Redbanc programmer was directed to a private e-mail address for Stuart-Young. The\r\ncourtship progressed to a video interview, in which Stuart-Young interviewed the programmer in Spanish. After at\r\nleast three more interviews, during which Stuart-Young said that he was looking forward to visiting Chile\r\nsomeday to meet in person, the Redbanc employee was asked to download and run a program that generated a\r\nPDF of a résumé. He did as instructed, but he never heard from Stuart-Young again. (The Redbanc programmer\r\nhas since resigned, and the company would not identify him.)\r\nWhile the programmer and Stuart-Young were corresponding, a cybersecurity professional named Juan Roa\r\nSalinas started in a new role at Redbanc. As he inspected the company’s internal network, he saw signs that it had\r\nbeen compromised. There were unusual connections to Internet domain names that he would not have expected to\r\nsee on the network.\r\nA voracious reader of tech news, Roa had been fascinated by the North Korean attack on Bangladesh Bank and\r\nhad studied the activities of the Lazarus Group and APT38. He had learned about North Korea’s FASTCash\r\nattacks, such as the one deployed in Japan. As he investigated the “strange behavior” in the Redbanc network, he\r\nand members of the company’s response team concluded that the business was under attack from a nation-state\r\nactor, most likely from Pyongyang. Among other clues, a Redbanc terminal had inexplicably looked up an I.P.\r\naddress in North Korea. Roa, judging that the threat was severe, recommended that Redbanc shut off its Internet\r\nfor a week.\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 13 of 20\n\n“Guess we better find a subletter by the end of the month.”\r\nCartoon by Suerynn Lee\r\nRoa remembers that his bosses found his request “shocking,” but they complied. An internal inquiry after the\r\nshutdown revealed that the company had indeed been in the middle of an attempted FASTCash breach. Such\r\nassaults normally take several months to execute. The hackers had first used a third-party criminal group for\r\n“social engineering.” The social engineers had mimicked a job offer from a real company in Antigua, using fake\r\nbut convincing e-mail addresses and even impersonating an executive, Justin Stuart-Young, using a Spanish-speaking actor who roughly fit his description. (When I spoke to the real Stuart-Young recently, it was the first\r\ntime he had heard of the Chile attack, and of his identity being stolen.)\r\nWhen the Redbanc programmer had run the infected program, it had activated a “dropper,” which granted hackers\r\nremote control of his computer. The hackers then made a series of lateral moves across other computers on the\r\ncompany’s network. Their goal was to compromise Microsoft’s Active Directory system at Redbanc, which\r\nconnects users with resources. By the time Roa noticed the intrusion, the hackers had not yet achieved this\r\nobjective. The next stage of the operation would have been to gain control of the mainframe at Redbanc, and then\r\nto initiate the FASTCash attack itself, which would use malware to conceal fraudulent withdrawal requests made\r\nat A.T.M.s. Roa purged the hackers from the Redbanc network before they could overtake the mainframe.\r\nAfter the attempted raid, Redbanc did what many companies subjected to such threats do: it kept quiet and\r\nimproved its security. The FASTCash attack at Redbanc became public only because Felipe Harboe, then a\r\nChilean senator, heard about it at a meeting of security experts and decided to tweet the news. Harboe told me last\r\nfall that he had broken Redbanc’s silence because South American institutions were now under constant threat\r\nfrom North Korean and Russian hacking groups. Redbanc officials, he said, were “surprised and upset” that\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 14 of 20\n\nHarboe had exposed their breach, but he felt that the problem required more transparency. There had been other\r\nA.T.M. attacks in Chile, and ransomware schemes—in which hackers take control of a computer network and\r\ndemand a fee for returning systems to normal—were even more common. Many ransomware operations started\r\nlike the one at Redbanc, relying on a single weak point of entry.\r\nThe North Koreans’ failure at Redbanc was only a minor inconvenience. The hackers’ strategy is to catch many\r\nfish by casting a wide net. The Cybersecurity and Infrastructure Security Agency has noted that, around the time\r\nof the attack on Redbanc, North Korean actors set in motion successful FASTCash assaults on dozens of banks in\r\nAsia and Africa, stealing tens of millions of dollars. In a single breach in 2017, money was simultaneously\r\nwithdrawn from A.T.M.s in more than thirty countries.\r\nPriscilla Moriuchi believes that in the past two years the aesthetic of North Korean cybercriminals has become\r\nsubtler. In addition to targeting big financial institutions, they have developed a faster, less flamboyant\r\n“operational tempo.” She explained, “They’ve managed to routinize financial fraud, attacks on smaller financial\r\ninstitutions and regular citizens. They’re much more like a normal criminal group now.”\r\nA report published in March by the U.N. panel of experts noted that one new avenue for North Korean\r\ncybercriminals is the theft of military information, either to sell or to harvest for the country’s weapons program.\r\nBut the most reliable money-maker for North Korea has become the theft of cryptocurrency.\r\nJesse Spiro, who is in charge of policy initiatives at Chainalysis, a private company that investigates\r\ncryptocurrency-related crime, told me recently that North Korean hackers have stolen at least $1.75 billion in\r\ndigital coins from trading exchanges. This revenue stream alone could cover about ten per cent of North Korea’s\r\ntotal defense budget.\r\nNorth Korea’s crypto-exchange hacks have a relatively straightforward methodology. Exchanges that trade bitcoin\r\nand other types of cryptocurrency typically hold escrow accounts full of their customers’ coins. These storage\r\nfacilities are known as “hot wallets,” because they are connected to the Internet. (A more secure but laborious\r\nmethod of storing coins is in an offline “cold wallet” containing, say, QR-code printouts that contain the keys to\r\nblockchain accounts.) Hackers from North Korea often gain access to an exchange’s internal systems using the\r\nsame types of manipulations involved in the failed attempt in Chile. Real-sounding people propose real-sounding\r\nschemes, then persuade a network user at a targeted company to download an infected document. Typically, one or\r\ntwo admin-level members at a cryptocurrency exchange have access to a hot wallet’s private keys. If hackers can\r\ncompromise a sufficiently senior figure, they can reach the wallet and steal its coins.\r\nTom Robinson, the chief scientist at the blockchain-analytics firm Elliptic, who tracks the proceeds of\r\ncryptocurrency hacks for governmental and private clients, told me that cryptocurrency trades have become\r\nattractive targets for North Korean hackers: “Once the funds have moved out of the exchange, you can’t reverse\r\nthose transactions, like you can maybe with a traditional bank payment. Once they’re gone, they’re gone. And\r\nthere’s no intermediary, there’s no controller of bitcoin, who you can go to and say, ‘Those funds are stolen. Give\r\nthem back to me.’ It’s completely decentralized. It can also be fairly anonymous—you don’t need to enact the\r\nscheme through accounts linked to your identity.”\r\nRobinson said that one of the most successful fake personas used by the Lazarus Group was Waliy Darwish—a\r\nman who supposedly worked for a cryptocurrency company, based in Michigan, called Celas L.L.C. The Lazarus\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 15 of 20\n\nGroup invented both Darwish and Celas. LinkedIn profiles and other pages related to the persona and to the\r\ncompany are still active. On LinkedIn, Darwish poses as a graduate of the Rotterdam University of Applied\r\nSciences and says that his interests include Rolls-Royces. He also claims, ungrammatically but somewhat\r\ntruthfully, to “know how to act the blockchain in cryptocurrency.” In February, an F.B.I. indictment against three\r\nsuspected North Korean hackers noted that some malicious software created by the Lazarus Group and purporting\r\nto be a cryptocurrency-trading program was called Celas Trade Pro.\r\nIn the spring of 2018, the Darwish-Celas mirage was convincing enough to bait employees of a cryptocurrency\r\nexchange in Hong Kong into downloading infected software. (An investigation into this operation continues, and\r\ninvestigators believe that confirming the identity of the exchange might damage an ongoing inquiry.) Within a few\r\nweeks of the malware’s installation, the hackers had stolen about ten thousand eight hundred bitcoins from the\r\nexchange’s hot wallet. The coins, then worth around ninety-four million dollars, would now be worth more than\r\nhalf a billion dollars.\r\nThe money-laundering patterns that typically follow such raids are dizzying. Elliptic has traced what happened to\r\nthe coins from the Hong Kong-exchange hack. Robinson explained that all the stolen coins were forwarded to a\r\nwallet maintained by the hackers, then split into dozens of small amounts and sent, through different routes, to\r\nanother exchange. Such an atomized transfer of money is known as a “peel chain.” When Robinson showed me a\r\ndiagram of the dispersal of coins, I was reminded of an airline-magazine route map in which several lines sprout\r\nfrom one dot and then converge on another.\r\nA peel chain is designed to outwit automatic alerts, which search for the transit of a precise volume of\r\ncryptocurrency. The stolen coins were sent to two Chinese men, Tian Yinyin and Li Jiadong, who had opened\r\naccounts on other exchanges, including one in the U.S., using fake pictures and fake names. They then cashed out\r\nthe coins and transferred the money to Chinese banks. According to the U.S. Treasury, several financial\r\ninstitutions in China offer accounts to North Koreans, or to front companies that have relationships with\r\nPyongyang. Last year, Tian and Li were indicted in the United States for allegedly laundering “over a hundred\r\nmillion dollars’ worth of stolen cryptocurrency to obscure transactions for the benefit of actors in North Korea”\r\nbetween 2017 and 2019. They remain at large.\r\nIn 2019, the U.N. listed dozens of cryptocurrency exchanges that had been hacked by the North Koreans. One\r\nexchange in Seoul, Bithumb, was successfully raided four times—a tremendous failure of security. Since the U.N.\r\nreport was published, the refinement of the attacks has only deepened, as has the skill with which the proceeds of\r\ncrime are laundered. According to Jesse Spiro, of Chainalysis, fifteen cryptocurrency heists have been reported so\r\nfar this year. It is too early to say how many will be attributed to North Korea.\r\nSpiro noted that the authorities were increasingly on the lookout for such schemes. Awareness of peel chains, for\r\nexample, has become widespread; the tactic is “relatively easy to trace if you have blockchain forensics or\r\nanalysis capabilities,” he said. But new obfuscation techniques have emerged. Professional money launderers offer\r\nsuch services as CoinJoin, which mixes stolen and non-stolen coins to confuse forensic analysts.\r\nIf one compared the industry and the manpower that went into planning and executing the Bangladesh heist with\r\nthe almost casual way in which digital tokens are often stolen, it would be evident why the North Koreans have\r\ncome to favor such exchange heists. Spiro told me that private forensics firms and law-enforcement agencies were\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 16 of 20\n\nfinally addressing the problem with the seriousness it deserved. Understanding how to track cryptocurrency is an\r\nincreasingly important skill, not least because North Korean hackers, and members of many criminal gangs,\r\naccept ransomware payments in digital currency. Between 2019 and 2020, according to Chainalysis, ransomware\r\nincidents rose by more than three hundred per cent.\r\nEven if other laundering techniques become well known and stolen coins could be readily flagged, the key to\r\nmaking such heists unprofitable is to stop thieves from cashing out. This is unlikely anytime soon, Spiro said,\r\nbecause of the lax practices of certain Chinese, Eastern European, and Southeast Asian exchanges. At a press\r\nconference to announce the February indictments against the three North Korean hackers, John Demers, of the\r\nJustice Department, made a pointed reference to such facilitators, saying that it was past time “for Russia and\r\nChina, as well as any other countries whose entities or nationals play a role in the D.P.R.K. revenue-generation\r\nefforts, to take action.”\r\n“I just don’t know if I’m ready to take mass transit yet.”\r\nCartoon by Lars Kenseth\r\nWhat good will such statements do? The U.S. has failed for a decade to find an effective response to the North\r\nKorean cyber threat. Luke Dembosky, the former Deputy Assistant Attorney General, worked with Sony\r\nthroughout the 2014 crisis. At the time, some security experts doubted that North Korea was capable of such an\r\nattack. Dembosky told me that “we would not have sent Obama to the podium lightly,” but when the President did\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 17 of 20\n\nspeak it was in measured terms. North Korea was accused of “vandalism” instead of a more serious crime. David\r\nMaxwell, a former Special Forces colonel who is now a senior fellow at the Foundation for Defense of\r\nDemocracies, a conservative think tank, told me that it was hard to know what to do about a country behaving like\r\na gang: “North Korea often operates below the threshold of a strategic response. Something like the Sony hack—\r\nthat was an attack on a company. It wasn’t something that our government defended against.”\r\nSeveral government agencies—including the F.B.I., the N.S.A., and the Secret Service—are now working\r\naggressively to address the threat. The F.B.I.’s indictments against hackers from the Lazarus Group outline the\r\nunit’s alleged crimes in detail. One indictment noted that the hackers had “attempted to steal or extort more than\r\n$1.3 billion” from “entertainment companies, financial institutions, cryptocurrency companies, online casinos,\r\ncleared defense contractors, energy utilities, and individuals.” The F.B.I. also recently arrested and charged a\r\nCanadian-American man who allegedly laundered money for the North Koreans.\r\nSimilarly, an American blockchain expert named Virgil Griffith was indicted in January, 2020, in the Southern\r\nDistrict of New York, for contravening U.S. sanctions against North Korea. Griffith had travelled to Pyongyang in\r\n2019 to give a speech at a cryptocurrency conference. The complaint against Griffith alleges that he was instructed\r\nby his North Korean hosts to focus his presentation on “the potential money laundering and sanction evasion\r\napplications of cryptocurrency and blockchain technology.” Griffith has pleaded not guilty.\r\nThe unsealed indictments are a boon to journalists and researchers, but the chances of any North Korean hacker\r\nbeing prosecuted successfully are vanishingly slim. There is, however, a growing recognition in America of the\r\nthreat presented by cybercriminals. President Joe Biden has secured ten billion dollars for federal agencies dealing\r\nwith the issue of cybercrime. A government adviser told me that one major remedy being considered is the\r\nestablishment of new protocols that will allow agencies to work much more closely with private security\r\ncompanies, which often perform the best cybercrime forensic work.\r\nThe national-security threat posed by North Korean hackers is less obvious than the one posed by Russian\r\nhackers, who have notoriously interfered in U.S. elections. The Obama Administration’s special adviser on\r\ncybersecurity, Michael Daniel, is now the president and C.E.O. of the Cyber Threat Alliance, a nonprofit\r\norganization dedicated to improving the sharing of intelligence about the threats posed by online crime. He told\r\nme that North Korea presented unique difficulties for law-enforcement agencies, not only because its criminal\r\nactivity was mixed up with its intelligence-gathering capabilities but also because its gangsterism now interferes\r\nwith crucial networks in other countries, such as health-care operations. “When you get ransomware hitting\r\nmedical systems during a pandemic, that’s no longer just a monetary threat,” Daniel said.\r\nNorth Korea’s cybercrime perpetrators often seem like faceless, amoral criminals. They also seem like victims.\r\nCostin-Andrei Oncescu, the Oxford programmer, was saddened to think of brilliant young North Korean minds\r\nbeing wasted in schemes to rob banks and install ransomware. But it is almost impossible to learn the stories of\r\npeople from the program. David Maxwell, the former Special Forces colonel, told me that the few defectors from\r\nthe Reconnaissance General Bureau’s cyber units had generally immigrated to South Korea, where they had\r\nimmediately fallen under the supervision of the country’s intelligence services. Occasionally, however, it is\r\npossible to glimpse the path imposed on Kim Jong Un’s “brave warriors.”\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 18 of 20\n\nRi Jong Yol was a mathematics prodigy. He was born into an academic family outside Pyongyang in 1998. By the\r\ntime he entered first grade, at the age of seven, he had been studying daily with a private tutor, and had already\r\nmastered the entire elementary-school syllabus. In middle school, he entered and won a national mathematics\r\ncompetition, and he was selected to attend a high school for gifted children. At fifteen, he was the youngest\r\nmember of North Korea’s team at the 2013 International Math Olympiad, in Santa Marta, Colombia.\r\nRi was a tall, gregarious, good-looking boy who liked playing volleyball and Ping-Pong. Unlike his teammates at\r\nthe I.M.O., he enjoyed meeting the kids from other countries. He saw foreign teen-agers accessing the Internet in\r\ntheir spare time and wondered if he might give it a try. He had never been online. (The few computer terminals\r\nthat he’d seen in village schools weren’t connected to the Internet, and he’d never even seen the machines turned\r\non, because the schools rarely had electricity.) In the end, Ri did not submit to temptation. He knew that he would\r\nbe severely punished if he was caught.\r\nRi won a silver medal at his first I.M.O.—an exceptional result for such a young contestant. In 2014 and 2015, he\r\nmade the team again, travelling to Cape Town, South Africa, and then to Chiang Mai, Thailand. He won silver\r\nmedals at both events. Ri remembers how happy he was seeing other contestants who returned year after year. He\r\nalso struck up friendships with South Korea’s team members, with whom he shared a language. They were meant\r\nto be his enemies, but Ri couldn’t see the harm in talking to them.\r\nAfter he returned from the 2015 I.M.O., an acquaintance who worked at a local Workers’ Party office told him that\r\nsenior figures from a secretive government agency were interviewing Ri’s friends and relatives. He instantly knew\r\nwhat was about to happen: the state would harness his talent for numbers by giving him a job as a hacker, or as a\r\nfunctionary in the nuclear program. Apparently, the state had decided that he didn’t need to go to college before he\r\nbegan a career of secretive labor. The prospect filled him with dread. Working in the most guarded sections of the\r\nmilitary meant that you were cut off from society. He would have no freedom whatsoever. He also realized that if\r\nhe were instructed to join such an agency he could not refuse.\r\nRi knew that he could compete in the I.M.O. until he was eighteen, which meant that he could participate in one\r\nmore competition before being recruited: an event at the Hong Kong University of Science and Technology. The\r\nNorth Korean mathletes were not heavily supervised at the competition, and Ri was on friendly terms with the\r\nteachers who accompanied the team. After winning another silver medal, Ri took his chance. He walked out of the\r\ndorm where he was staying and hailed a cab to the airport, where—with the help of a friendly airline worker—he\r\nfound the address of the South Korean consulate. He took another taxi there and told a South Korean diplomat that\r\nhe wished to defect. He then spent seventy days in Hong Kong, waiting nervously while the South Korean\r\ndelegation negotiated his safe passage to Seoul. (After Ri’s defection, North Korea suspended its I.M.O. program\r\nfor two years, and now sends a government agent with the team, to insure that nobody escapes.)\r\nRi is now twenty-three and goes by a South Korean name. He is studying mathematics at Seoul National\r\nUniversity. He has not seen his parents since he defected. In a recent conversation, he told me that he had\r\ndeveloped his escape plan without any outside help, but he may have been protecting his loved ones. In North\r\nKorea, the families of defectors often meet grim fates. Ri said that he had no regrets about leaving his native\r\ncountry. Since his escape, he has considered how his talent would have been squandered had he stayed in\r\nPyongyang. In Seoul, he saw only possibilities. He told me, with excitement, that he was hoping to spend a year in\r\nthe United States, on an exchange program.\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 19 of 20\n\nOne of the first things that Ri did after he landed in South Korea in 2016 was go online. With the help of a mentor,\r\nhe set up a Gmail account. The mentor then encouraged him to make his first Google search. He was momentarily\r\nat a loss. In North Korea, where information was strictly controlled, Ri’s curiosity had been insatiable. But now,\r\nwith the world seemingly at his fingertips, he felt overwhelmed by choice. There was so much to know. Ri opened\r\na search box and typed “북한/北韓”: “North Korea.” ♦\r\nAn early printing of this story misstated the approximate latitude of the border between North and South Korea.\r\nAn earlier version misstated the name of the think tank the Foundation for Defense of Democracies.\r\nSource: https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nhttps://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army" ], "report_names": [ "the-incredible-rise-of-north-koreas-hacking-army" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "fdf8d396-bbe4-454c-970a-81c4c3093b27", "created_at": "2022-10-25T16:07:23.763387Z", "updated_at": "2026-04-10T02:00:04.742186Z", "deleted_at": null, "main_name": "BeagleBoyz", "aliases": [ "BeagleBoyz", "Operation FASTCash" ], "source_name": "ETDA:BeagleBoyz", "tools": [ "Cyruslish", "ECCENTRICBANDWAGON", "FASTCash", "NACHOCHEESE", "NachoCheese", "PSLogger", "TWOPENCE", "VIVACIOUSGIFT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434741, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b83581c5a986f48e187a4102bbd2305d04e2673.pdf", "text": "https://archive.orkl.eu/3b83581c5a986f48e187a4102bbd2305d04e2673.txt", "img": "https://archive.orkl.eu/3b83581c5a986f48e187a4102bbd2305d04e2673.jpg" } }