From phishing to financial theft: How AI supercharges North Korea's cyber crimes

By Robert Stanley | 2025-04-10

North Korea reportedly has launched a new cyber-warfare unit designed to develop artificial intelligence (AI)-driven hacking tools for espionage, financial theft and cyberattacks against its enemies.

The unit, called "Research Center 227," operates under the military's Reconnaissance General Bureau and aims to enhance Pyongyang's offensive cyber capabilities, according to South Korea-based Daily NK, which monitors news from the North.

Citing unidentified sources inside North Korea, Daily NK reported March 12 that the center's primary objectives include neutralizing security networks, automating information theft, hacking financial systems and developing AI-powered tools for large-scale cyber operations.

Research Center 227 will work in coordination with North Korean hacking groups stationed abroad, using real-time intelligence to refine its cyber capabilities, the report added.

'Compromise and gather intelligence'

"Research Center 227 constitutes a significant enhancement of Pyongyang's cyber-warfare capabilities, integrating its capabilities for offensive cyber operations," geopolitical risk group SpecialEurasia wrote in a March report.

The think tank further warned that the initiative "significantly raises global cyber-crime concerns."

One of the most alarming aspects is the use of AI to "bypass sophisticated security controls, automate data exfiltration at scale, and conduct cyber operations more efficiently and at higher speeds," the report said.

North Korea is not alone in leveraging AI for cyber activities. Microsoft and OpenAI have reported that state-backed hacking groups from China, Russia and Iran are integrating AI into their operations.

A North Korean hacking group known as Emerald Sleet used AI-generated phishing emails that appeared to come from major academic institutions to "compromise and gather intelligence" from Western analysts of North Korea, Microsoft wrote in a blog post in February 2024.

Similarly, Google's Threat Intelligence Group found that North Korean hackers were using AI tools, including Google's Gemini, to draft fake cover letters and search for job postings -- a tactic linked to Pyongyang's ongoing efforts to embed IT operatives in Western companies.

Millions of cyberattacks daily

With North Korea facing a military stalemate on the Korean peninsula and economic sanctions, cyber warfare has become a low-cost, high-impact tool to generate revenue and bypass conventional military constraints, analysts say.

Hacking and cyber theft have been particularly effective in circumventing financial sanctions and securing funds for North Korea's missile and nuclear programs.

"Contrary to what one might expect from such a secluded nation, North Korea boasts a surprisingly strong technological base that reinforces its cyber capabilities," the Washington-based Committee for Human Rights in North Korea noted in 2023.

The scale of Pyongyang's cyber operations is staggering.

In 2023, South Korean public institutions were hit by about 1.62 million cyberattacks a day, with 80% attributed to North Korean actors, the Georgetown Journal of International Affairs reported last July.

North Korean hackers have been suspected of injecting malware into software supply chains and launching ransomware attacks that cripple company networks to extort payments.

Influence operations

In February, OpenAI announced that it had removed accounts from China and North Korea that had been using its AI models for malicious activities, including surveillance and influence operations, Reuters reported.

One operation involved generating fake news articles in Spanish that criticized the United States and placing them in mainstream Latin American media.

In another case, North Korean-linked actors used AI to generate fake resumes and online profiles to infiltrate Western tech firms as remote employees.

Despite these advancements, AI has yet to fundamentally change the landscape of cyber warfare, according to analysts.

"AI, so far, has not been a game changer for offensive actors," said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, in an interview with Voice of America published January 29.

"It speeds up some things. It gives foreign actors a better ability to craft phishing emails and find some code. But has it dramatically changed the game? No."

Google's Threat Intelligence Group came to a similar conclusion.

"While we do see threat actors using generative AI to perform common tasks like troubleshooting, research and content generation, we do not see indications of them developing novel capabilities," it said in a January 29 blog post.