On October 10, 2025, North Korea held a military parade to celebrate the 80th anniversary of its ruling party. It showcased various new Intercontinental Ballistic Missiles (ICBMs), cruise missiles and rocket equipped drone systems.

How is North Korea funding the development of its military arsenal including ICBMs, missile and nuclear programme, and other Weapons of Mass Destruction (WMD)?

Cyber theft has remained the main source of funding North Korean military, primarily its missile programme and these operations are carried out by sophisticated government-backed groups reporting to North Korea’s military intelligence agency’s – Reconnaissance General Bureau. The most notable of these are the Lazarus Group (also known as APT38) and its sub-groups, which are responsible for major heists and espionage.

The North Korean government has been using state-sponsored cyberattacks, particularly the hacking of financial institutions and cryptocurrency exchanges to siphon funds for its nuclear weapons and ballistic missile programme. The cyberattacks have become a primary source of foreign currency. A 2024 UN report estimated that North Korea linked cyberattacks generated approximately US$ 3 billion between 2017 and 2023.

In the last few years North Korean hackers have increasingly targeted cryptocurrency exchanges and loosely controlled financial institutions which are often seen as ‘soft targets’. According to a United Nations Report between 2017 and 2023 North Korea carried out 58 cyberattacks including, the largest cryptocurrency theft in history, worth GBP 1.1 billion (USD 1.5 billion). In 2022 alone, North Korean hackers stole approximately US$ 1.35 billion in cryptocurrency assets. So far in 2025, its crypto theft has reached US$ 2.84 billion, breaking its record in 2022.

The top operators involved in such attacks are APT 37 and APT 38, viz., Kimsuky and Lazarus Group. APT 38 have targeted banks across Bangladesh, Taiwan, South Korea and Chile using ransomware and spear-phishing techniques to compromise individuals within banks and financial institutions. The Lazarus Group has been active in cyberattack operations since 2009. This group has been targeting cryptocurrency and blockchain currency through ransomware and spear-phishing and fraudulent profiles. In addition, they have been attacking financial institutions particularly ATMs, such as FASTCash and fraudulent accounts.

To launder the illicit funds and evade surveillance the North Korean hackers use various methods, including cryptocurrency mixers (e.g.,Tornado Cash, Blender.i.o), decentralized exchanges, foreign bank accounts, and shell companies, mostly operating from countries like Singapore, Chile and the Philippines.

The funds stolen by hacking financial institutions and cryptocurrency exchanges are directly channeled into the development and testing of Weapons Of Mass Destruction and ICBMs. According to the statement mentioned in a UN Report these malicious cyberattacks account for roughly 50% of North Korea’s foreign currency income which helps to fund upto 40% of its nuclear weapons programme.

In addition to cyberattacks by state-sponsored hackers a parallel effort to generate foreign income, the regime sends thousands of skilled IT workers abroad who use fraudulent identities to obtain high-paying remote work at global companies (including US Fortune 500 firms) and funnel their salaries back to North Korea. These workers can also gain access to company systems for future malicious operations.

In order to enforce strict International Sanctions a Multilateral Sanctions Monitoring Team (MSMT) was formed, consisting of representatives from Australia, Canada, France, Germany, Italy, Japan, Netherlands, New Zealand, Republic of Korea, United Kingdom and United States. MSMT issued a press statement on 4.11.2025 in order to provide UN Member States with information to protect their governments, private businesses and private citizens from North Korean cyberattacks and IT worker exploitation. The press report reads as follows:

“We, the participating states of the Multilateral Sanctions Monitoring Team (MSMT), released today a report on the DPRK’s cyber and information technology (IT) worker activities furthering violations of United Nations Security Council resolutions (UNSCRs). This multilateral mechanism was established in October 2024 to monitor and report on the implementation of UN sanctions measures on the Democratic People’s Republic of Korea (DPRK).

The report details the deep connections between UN-sanctioned DPRK entities and the DPRK’s cyber activities, including cryptocurrency theft, fraudulent IT work, and cyber espionage. The report consolidates information provided by MSMT participating states and the private sector on violations and evasions of sanction measures stipulated in relevant UNSCRs. The DPRK exploits private industry, private citizens, and dozens of countries in order to steal and fraudulently obtain billions of dollars for its unlawful WMD and ballistic missile programmes. UN-designated DPRK entities, including the Reconnaissance General Bureau, carry out the majority of these activities in violation of the asset freeze set out in UNSCR 1718.

This report is a product of our efforts to address the monitoring gap arising from the disbandment of the UN Security Council’s 1718 Committee Panel of Experts in April 2024 which was caused by Russia’s veto in March 2024. The report will assist with the full implementation of UN sanctions by the international community. We urge the Security Council to reestablish the Panel of Experts in the same strength and structure it had prior to its disbandment.”

(The writer is formerly DG, DRI, DG, NCB and Member, CBIC)