Cyber theft funds Pyongyang's nuclear ambitions

Global Watch | 2026-01-27

When most people think of a bank robbery, they imagine masked criminals storming a vault, escaping with bags of cash into the night.

However, today's most consequential financial thefts look nothing like that. They happen quietly, across computer networks, often unnoticed until long after the money is gone.

And in many cases, the mastermind isn't a criminal gang -- it's a nation-state.

North Korea in particular has emerged as the most prolific and dangerous player in this new era of digital heists.

For decades, the international community has relied on economic sanctions to limit North Korea's ability to fund its nuclear weapons and ballistic missile programs. These sanctions aimed to isolate Pyongyang from the global financial system, cutting off access to foreign currency, international banking networks and advanced technology.

While not perfect, sanctions imposed real constraints, forcing North Korea to rely on smuggling and limited trade relationships to sustain its ambitions.

But the rise of cryptocurrency has changed the game. Digital assets operate outside traditional banking systems, move across borders instantly, and -- if handled carefully -- can obscure the identity of their ultimate beneficiary.

For an isolated but technologically capable regime, cryptocurrency offered a loophole in the sanctions system: a parallel financial network that could be exploited with devastating efficiency.

The Lazarus Group

At the heart of North Korea's cyber-finance strategy is the Lazarus Group, a state-sponsored cyber unit operating under Pyongyang's intelligence services.

Lazarus is not a loose collection of hackers. It functions more like a military unit with a singular mission: to generate revenue for the state through cyber operations.

Over the years, this mission has become central to North Korea's broader national strategy.

In the early 2010s, North Korean cyber activity focused on disruption and espionage. Today, the focus is squarely on theft at scale. Lazarus targets cryptocurrency exchanges, decentralized finance (DeFi) platforms, online gaming ecosystems and digital wallets -- anywhere large volumes of digital assets are pooled.

Using sophisticated phishing campaigns, custom-built malware and exploitation of software vulnerabilities, they bypass modern security controls with alarming precision.

The numbers are staggering. In 2022 alone, North Korean-linked cyber actors stole an estimated $1.7 billion in cryptocurrency. In early 2025, a single operation reportedly netted $1.4 billion from the exchange Bybit.

These represent a sustained and systematic campaign. Analysts estimate that proceeds from cyber theft now fund a significant portion of North Korea's missile and nuclear programs.

A new kind of heist

What makes these operations particularly concerning is their strategic intent. These aren't crimes committed for personal gain -- they are deliberate state actions designed to convert stolen digital assets into weapons capability.

For a regime cut off from legitimate trade, cyberspace has become a critical economic battlefield. Every successful hack undermines sanctions and strengthens Pyongyang's ability to pursue its most dangerous ambitions.

Understanding this shift is crucial. Cyber theft is now a core mechanism by which North Korea sustains its nuclear program.

The Lazarus Group's operations highlight how cyberspace has become a lifeline for a sanctioned state, enabling it to bypass traditional financial restrictions and fund its strategic goals.

This is a story about how technology is reshaping the tools of statecraft and conflict. As North Korea continues to exploit digital vulnerabilities, the international community must adapt its strategies to counter this growing threat.