The Hackers Who Fund Kim's Missiles: Inside North Korea's Cyber Empire

Cryptocurrency heists. Fake developers embedded in Fortune 500 companies. A billion-dollar laundering machine run by a state that most of the world barely trades with. North Korea has built the most unusual cybercrime operation on earth — and it is scaling up.

In April 2026, $635 million vanished from two cryptocurrency platforms in the space of a fortnight. Drift Protocol, built on the Solana blockchain, lost $285 million. Kelp DAO, a decentralised finance restaking protocol on Ethereum, lost another $292 million — the single largest crypto theft of the year. By the end of April, North Korea's Lazarus Group had accounted for nearly 76 percent of all cryptocurrency stolen globally in 2026, in just two attacks.

This is not a new story. It is a story that keeps getting bigger.

A State That Runs on Stolen Money

North Korea is one of the most heavily sanctioned nations on earth. Cut off from the international financial system, denied access to hard currency through conventional trade, and barred from most forms of foreign exchange, the regime has spent more than a decade building an alternative revenue stream: cyber theft.

"North Korea is unique in that it practices state cyber-banditry," says Alexis Rapin, a researcher on cyber threats at the Université du Québec à Montréal. "Hackers linked to the regime conduct attacks on financial grounds, in order to fill the coffers of the regime, which is extremely sanctioned, isolated, and sorely lacking in currency."

The scale of this operation is now industrial. Chainalysis, the blockchain intelligence firm, puts cumulative North Korean-linked cryptocurrency theft at $6.75 billion between 2019 and the end of 2025, with last year's haul — $2.02 billion — being the largest on record. The Bybit hack of February 2025, in which $1.5 billion was stolen from the Dubai-based exchange in what the FBI described as the largest single crypto heist in history, set a new benchmark. The April 2026 operations suggest that benchmark may be surpassed before the year is out.

As Nick Carlsen, a former FBI analyst now at TRM Labs, put it: "This is now an industrial-scale operation. It has specialisation, pipelines, long-horizon planning, tool development, and a laundering infrastructure that has been resilient to three successive rounds of sanctions. There is no equivalent adversary in any other cybercrime category."

The Lazarus Group and Its Expanding Playbook

The hacking groups operating under North Korea's state apparatus are collectively described under the umbrella of Bureau 121, a unit of the Reconnaissance General Bureau — the regime's military intelligence service. The most prominent of these is the Lazarus Group, a name that has become shorthand for a loose confederation of specialised hacking units responsible for some of the most consequential cyber operations of the past decade.

Lazarus first drew global attention by hacking Sony Pictures Entertainment in 2014, in apparent retaliation for a satirical film about North Korea's leader. It graduated to financial crime with the $81 million heist of the central bank of Bangladesh in 2016, exploiting the SWIFT interbank messaging network with striking sophistication. Since then, the group's focus has shifted decisively toward cryptocurrency — a sector that, as Andy Piazza of Palo Alto Networks' Unit 42 explains, is "much more vulnerable to cyberattacks while maintaining comparable volumes of cash capital," making it an irresistible target.

The methods have evolved continuously. In 2022, Lazarus relied primarily on compromised validator keys and poisoned software supply chains. By 2024, the group had pivoted to social engineering — fake recruiters and investors approaching software engineers, staged "technical interviews" that smuggled malware onto developer machines, and AI-generated profiles to create convincing identities at scale. The April 2026 Kelp DAO attack, which exploited a cross-chain bridge vulnerability on LayerZero, showed yet another dimension: patient, technically sophisticated exploitation of the decentralised finance infrastructure that sits beneath much of the cryptocurrency industry.

In April 2026 alone, Lazarus conducted 12 attacks on crypto protocols. In each case, the laundering followed a well-documented playbook: stolen tokens converted to major currencies via decentralised exchanges, routed through cross-chain bridges — primarily THORChain, which processed an unprecedented surge in cross-chain volume following Bybit and again after Kelp DAO — and distributed across fresh wallets before going dormant. The proceeds can sit untouched for months or years before a structured, multi-phase cashout begins. The Kelp DAO funds saw approximately $175 million in ETH move through THORChain after the Arbitrum Security Council froze a portion of the stolen assets.

Alongside direct theft, a newer campaign has also emerged. In April 2026, security researchers identified a Lazarus Group operation targeting fintech and crypto executives through a technique called "Mach-O Man": fake online meeting invitations that instructed victims to paste a command into their Mac terminal to "fix a communication problem." The command granted attackers full access to corporate and financial systems. The social engineering entry point is increasingly replacing the technical exploit — because it is faster, cheaper, and harder to defend against.

The Fake Developers in Your Company

Cyber theft is only one strand of North Korea's digital revenue strategy. The other — less dramatic, arguably more insidious — involves infiltrating the global technology workforce.

North Korea has dispatched an estimated 100,000 workers to 40 countries, generating approximately $500 million a year for the regime. A significant subset of this operation involves placing developers — equipped with stolen identities, AI-generated profile photos, and forged documents — into technology jobs at American and European companies, including Fortune 500 firms.

The mechanics of the scheme were laid bare in a series of U.S. Department of Justice prosecutions that accelerated through 2026. In April, two New Jersey residents — Kejia Wang and Zhenxing Wang — were sentenced to nine years and seven-and-a-half years in prison respectively for running a "laptop farm": a network of company-issued computers hosted at their residences that allowed North Korean workers overseas to appear, to their employers' monitoring systems, to be working from New Jersey. The scheme used stolen identities of more than 80 Americans, forged Social Security cards, fabricated California driver's licences bearing North Korean operatives' photographs, and falsified tax documents submitted to the IRS.

Over three years, their network placed North Korean workers in more than 100 American companies, generating over $5 million in salaries that were then funnelled back to Pyongyang.

This single network was the eighth to be sentenced in five months as part of the Justice Department's DPRK RevGen: Domestic Enabler Initiative, which targets the American facilitators who make these schemes possible. The Treasury's Office of Foreign Assets Control separately sanctioned six individuals and two entities in March 2026 for their roles in IT worker networks operating across Vietnam, Laos, Spain and North Korea itself, with one designated company — Amnokgang Technology Development Company — specifically managing overseas delegations of IT workers while conducting procurement activities for military and commercial technology.

The Justice Department's assessment is blunt: North Korean IT workers "have committed data extortion and exfiltrated the proprietary and sensitive data from U.S. companies" — meaning the fraud does not end with the salary. In some cases, once embedded, workers have leveraged their insider access to steal intellectual property, install backdoors, or conduct extortion.

The Money Goes to Missiles

What does a North Korean nuclear weapons programme look like in 2026? Among other things, it looks like a $290 million cryptocurrency theft and a network of fake software developers embedded in the technology industry of the country the regime regards as its primary adversary.

The revenues generated by North Korea's cyber operations — estimated between $500 million and $600 million annually from crypto theft alone, with IT worker salaries adding hundreds of millions more — fund a military programme that includes ongoing nuclear weapons development and ballistic missile testing. In April 2026, the North Korean destroyer Choe Hyon conducted a missile test launch. The connection between Lazarus Group's latest heist and that missile on the launchpad is not metaphorical. It is operational.

For a country with a GDP estimated at between $30 billion and $40 billion, a consistent revenue stream of this size is strategically significant. Cyber has become, as analysts put it, a direct financing tool: digital operations generating income that feeds the physical military machine.

The Laundering Problem Nobody Has Solved

One of the most revealing aspects of North Korea's cyber operation is how it launders stolen funds — and how the infrastructure that enables that laundering has proved resistant to sanctions.

After the U.S. Treasury sanctioned the crypto mixing services Tornado Cash and Sinbad.io, North Korean operators shifted their laundering flows to cross-chain bridges, primarily THORChain, and to exchange-adjacent services like eXch. Bridge-related theft laundering rose 66 percent between 2023 and 2025, according to TRM Labs data, while mixer-related activity fell 37 percent. THORChain's developers have claimed the protocol is decentralised and cannot reject transactions. TRM Labs' analysis of the Kelp DAO theft traced portions of the initial funding all the way back to a Bitcoin wallet controlled by Wu Huihui, a Chinese crypto broker indicted in 2023 for laundering Lazarus thefts — a thread connecting April 2026 directly to operations from 2018.

The cumulative effect is a laundering infrastructure that has absorbed multiple rounds of Western enforcement action, adapted each time, and continued to operate. The assets enter as stolen tokens. They emerge as Bitcoin. They end up as foreign currency for a regime that has no legitimate access to any.

Training, Infrastructure, and the China Question

North Korea's cyber capability did not appear from nowhere. At home, institutions including Kim Chaek University of Technology, Kim Il-sung University, and Moranbong University select the most academically gifted students in the country for six-year programmes of intensive specialised training in network infiltration, malware development, and signals intelligence. The pipeline is long, systematic, and produces several hundred new operatives a year.

Abroad, the picture is more complex. BBC investigative reporting has highlighted the close operational relationship between North Korea's cyber apparatus and China, with North Korean specialists reportedly receiving specific training in Shenyang — the Chinese city close to the North Korean border — where they learn to develop and deploy malware on corporate networks, servers, and financial infrastructure.

China's own cyber strategy differs in focus — characterised by espionage, intellectual property theft, and systematic harvesting of foreign innovation — but the two states share a structural interest in undermining the Western-led financial and regulatory order. Whether Beijing actively directs North Korea's financial cyber operations or merely tolerates them remains a matter of intelligence dispute. What is clear is that North Korea's most important laundering routes — through Chinese banking networks, and Chinese-based intermediaries — have remained operational despite sustained U.S. enforcement pressure.

What This Means for Everyone Else

North Korea's cyber operation poses a challenge that does not fit neatly into existing frameworks. It is not espionage in the traditional sense, though it includes espionage. It is not terrorism. It is not conventional organised crime, though it uses criminal methods. It is state-directed financial predation conducted through a digital channel that most of the world's governments are still learning to regulate.

For the cryptocurrency industry, the lesson is increasingly unavoidable. As one TRM Labs analysis put it: "Every mis-audited admin key, every unrotated RPC endpoint, every engineer who clicks a 'portfolio company interview' calendar invite becomes, in a real sense, a line item in North Korea's missile budget."

For technology companies, the fake developer threat is no longer theoretical. The Department of Justice has described it as a systematic, ongoing operation targeting companies of all sizes across sectors from financial services to defence-adjacent software. The stolen identities used are real Americans' identities. The forged documents are of sufficient quality to pass standard hiring checks. And once inside, these workers have, in documented cases, turned from employee to extortionist.

For governments, the fundamental challenge is that North Korea has found a revenue stream that sanctions were never designed to block — because it did not exist when the sanctions were designed. The decentralised, borderless, pseudonymous character of cryptocurrency markets creates structural opportunities for an actor willing to invest in technical expertise and patient, long-horizon operations. North Korea has invested in both.

In the meantime, the thefts continue. The missiles get tested. And the gap between the speed of North Korea's adaptation and the speed of the West's response keeps not closing.

Sources: TRM Labs, "North Korea Stole 76% of All Crypto Hack Value in 2026" (April 2026); Chainalysis, DPRK crypto theft analysis (2025–2026); KuCoin/Bijiie on-chain analysis of Lazarus April 2026 attacks; LayerZero statement on KelpDAO hack (April 2026); U.S. Department of Justice sentencing announcements (April 2026); U.S. Treasury OFAC sanctions on DPRK IT worker networks (March 2026); TechCrunch / Fortune reporting on Wang sentencing (April 2026); CoinDesk / CertiK, Lazarus "Mach-O Man" campaign (April 2026); BFM Tech, "Cyberwar: in North Korea, cyberespionage, cryptocurrency theft and hackers in the service of a state under sanctions" (2026).