Washington, Tokyo, and Seoul Deepen Cyber Diplomacy Against North Korea's Illicit Financing
Fifth trilateral working group meeting brings private sector to the table for the first time as crypto theft and AI-enabled fraud reshape the threat
Senior officials from the United States, Japan, and South Korea met in Washington, D.C. on June 25–26 for the fifth session of the Trilateral Diplomatic Working Group on DPRK Cyber Threats, a body established after the 2023 Camp David summit to coordinate action against North Korea's cyber-enabled revenue generation. The meeting's outcomes point to a diplomatic effort that is steadily shifting from threat assessment toward operational disruption — and one that is now reaching well beyond the three founding partners.
From Summit Pledge to Standing Institution
When the U.S., Japan, and South Korea launched this working group in December 2023, it was framed as a modest coordination channel. Five meetings later, it has become something closer to a standing institution, with representatives from roughly two dozen agencies and ministries across the three governments participating in the most recent session. Each iteration has added new mandate: early meetings focused on reviewing the threat picture; by 2025 the group was coordinating efforts to restrict North Korean access to the financial jurisdictions it relies on for revenue generation. This year's meeting added two firsts — a dedicated private-sector engagement session and an explicit push to extend outreach beyond Northeast Asia.
Cryptocurrency Theft Takes Center Stage
Much of the discussion centered on North Korea's escalating cryptocurrency theft operations. Officials pointed to two recent incidents in particular: the theft of roughly $290 million from the KelpDAO platform and $285 million from Drift Protocol, both attributed by investigators to North Korean cyber actors. These figures illustrate the scale of a financing strategy that has made crypto platforms — often thinly regulated and cross-border by design — a primary target for state-linked hacking groups seeking to fund Pyongyang's weapons programs despite international sanctions.
The three delegations committed to expanding intelligence sharing and investigative cooperation, and to raising public awareness of how these theft operations work, both to help platforms harden their defenses and to build the evidentiary record needed for future sanctions actions.
Private Industry Enters the Room
Perhaps the most structurally significant development was the addition of an inaugural private-sector session. Representatives from Coinbase, Google Cloud Security's Mandiant Threat Intelligence unit, Polymarket, and Upwork joined government officials to discuss detection and defense strategies. This reflects a broader reality in cyber diplomacy: governments increasingly depend on private threat-intelligence firms and platform operators to identify and attribute sophisticated cyber operations, since much of the relevant activity — wallet movements, laundering patterns, fraudulent job applications — plays out on privately operated infrastructure that states can't directly monitor. Formalizing that relationship is a sign the working group is maturing from a diplomatic talking shop into an operational coordination body.
The AI Problem
Officials also flagged a newer and less tractable concern: the use of artificial intelligence by individuals linked to North Korea's overseas IT worker networks. AI tools, they warned, are making it easier to fabricate convincing identities, run more sophisticated phishing campaigns, and secure remote jobs with companies that have no idea they're paying a sanctioned worker. Unlike a hacked crypto platform, this scheme exploits ordinary corporate hiring practices, which makes it a harder problem to solve through law enforcement alone — it will likely require sustained cooperation with employers and platforms like Upwork to close the gap.
Widening the Coalition
The three governments also signaled an intent to take their message beyond Northeast Asia, planning outreach to governments, financial institutions, and technology firms in Europe, Southeast Asia, and Africa. This reflects an underlying diplomatic logic: North Korea's cyber financing networks exploit whichever jurisdictions offer the least regulatory friction, so containing them requires convincing a much wider set of countries — many with no direct stake in the North Korea nuclear issue — to tighten oversight of cryptocurrency exchanges and remote-work hiring pipelines.
What's Left Unsaid
Notably, the joint statement stays narrowly scoped to North Korea's weapons-financing activity and does not address broader questions about state sponsorship, technology transfer, or North Korea's cyber relationships with other governments. That narrow framing appears deliberate: it keeps the coalition's mandate focused enough that Japan and South Korea — which have different economic exposures and strategic considerations — can maintain a unified position, even as the group's ambitions expand geographically and its private-sector partnerships deepen.
Taken together, the fifth working group meeting suggests a diplomatic effort that has moved past its founding phase and is now grappling with the harder work of translating trilateral coordination into measurable disruption of North Korea's illicit revenue streams — with AI-enabled fraud emerging as the next frontier it will need to address.
Based on official readouts from the U.S. Department of State, Japan's Ministry of Foreign Affairs, and reporting on the June 25–26, 2026 Trilateral Diplomatic Working Group on DPRK Cyber Threats.
Member discussion