Discover the 5 Worst North Korean Hacks

Shadowy silhouette of a North Korean hacker at the computer on a background of binary code set against the flag of the DPRK

Discover the 5 Worst North Korean Hacks

Key Points

  • North Korea relies on criminal activities like cyber hacking to earn money and fund weapons development programs.
  • Notorious North Korean hacker groups like the Lazarus Group and ScarCruft have targeted companies like Sony Pictures Entertainment and a Russian missile developer.
  • The Bangladesh Bank fell victim to a cyber attack where hackers attempted to transfer $1 billion but were only successful in transferring $81 million due to a spelling mistake.
  • The WannaCry ransomware attack affected systems in 150 countries and exploited a weakness in Microsoft Windows.
  • North Korean hackers have stolen almost $2 billion of cryptocurrency in 2022 using tactics like supply chain attacks.
  • North Korea’s division from South Korea after WWII led to the establishment of a communist state in the North and a democracy in the South.
  • North Korea’s hacker groups continue to innovate and pose a threat to global stability by stealing money and sensitive information.

Since North Korea has effectively cut itself off from the outside world, it has few legitimate opportunities to earn money. As a result, the regime relies on criminal endeavors like cyber hacking to fill its coffers.

These activities, while universally condemned by the international community, provide a source of income for North Korea, allowing its leaders to live lavishly and fund weapons development programs.

In this article, we’ll explore some of the most notorious North Korean hacker groups and the biggest targets they’ve pursued, shedding light on the methods that sustain the regime.

Sony Pictures Entertainment (2014)

As Sony Pictures Entertainment employees sat down at their desks on a Monday morning in November 2014, they saw an unsettling sight on their computer screens: an image of a red skeleton with piercing eyes and outstretched fingers accompanied by a message written in broken English. The message threatened to release Sony’s sensitive data unless executives met their demands.

With Sony’s IT team helpless to stop the attack, malware spread throughout the machines on the company’s network, erasing data on both computers and servers. To ensure that Sony would never be able to recover the deleted data, the hackers’ algorithm buried the data by overwriting it 7 times before finally attacking the computer’s startup software, effectively destroying its functionality.

During the following weeks, the hackers posted the data they stole on public forums. This included unreleased movie scripts, emails, salary details of Sony employees, and nearly 50,000 Social Security numbers.

The group claiming credit for the breach identified themselves as the “Guardians of Peace.” However, cybersecurity experts quickly identified that the Lazarus Group was responsible, noting that the North Korean hackers were “sloppy” and hadn’t hidden their IP addresses.

The Interview, which mocks the North Korean dictator Kim Jong-un, prompted the attack. To discourage Sony from releasing the movie, the hackers threatened to attack theaters in a method similar to 9/11. Though Sony executives initially opted to shelve the movie, they reversed their decision after public backlash, releasing it on Christmas Day.

While Sony paid an estimated $35 million to repair its IT infrastructure and enhance cybersecurity, thousands of employees continue to face risks of identity theft. Furthermore, many embarrassing emails surfaced, casting a shadow over the company’s reputation and highlighting the enduring intangible damages stemming from the breach.

Hacker GroupLazarus Group
TargetSony Entertainment Pictures
Method UsedMalware
Damage$35M plus intangible losses
Official poster for the movie, The Interview
Kim Jong-un’s regime expressed strong offense at the portrayal of their leader in the Sony Entertainment Pictures movie, The Interview.

©Point Grey Pictures / Public domain – License

Russian Missile Developer (2022)

Although the breach wasn’t identified until May 2022, a North Korean hacker group known as ScarCruft managed to access a Russian missile developer’s network for at least five months. During that time, the hacker group installed digital backdoors to gain unauthorized access to the system. This gave them the ability to read emails and sensitive files including blueprints for weaponry.

These kinds of breaches are rarely publicized. However, a researcher at the cybersecurity firm, SentinelOne, discovered it by chance. The researcher realized that an IT team member at the Russian missile company accidentally leaked his internal communications while using a commonly used portal for cybersecurity experts.

SentinelOne confirmed that the North Korean hacker group, ScarCruft, was responsible for the attacks, noting that the hacker group had previously used it in a separate attack.

Experts could not determine which specific files were accessed, but many hypothesized that the North Koreans intended to use the information to bolster their own weapons development programs. Although the hackers may have extracted plans to develop sophisticated missiles, it doesn’t necessarily mean that they are now capable of duplicating the technology.

Hacker GroupScarCruft
TargetNPO Mashinostroyeniya
Method UsedMalware
Shadow of missiles against a North Korean flag
North Korea’s nuclear ambitions have led to heightened tensions in the region and across the globe.


Bangladesh Bank (2016)

When a printer glitch occurred at Bangladesh’s national bank, it was easy for staff to dismiss it as a minor issue. Such technical hiccups are common and don’t usually raise concerns. Yet, this seemingly ordinary printer proved monumental.

The moment it stopped working on February 5, 2016, hackers sent dozens of requests to the Federal Reserve Bank in New York, asking to transfer funds from Bangladesh Bank’s account to various accounts in Southeast Asia and Africa.

While the hackers were successful in transferring $81 million, the Federal Reserve Bank halted the transactions when they discovered a spelling mistake on one of the transfer requests. If the hackers hadn’t accidentally misspelled “foundation,” they might have successfully stolen $1 billion.

The investigation revealed that the hackers had meticulously plotted this attack for at least a year. In January 2015, the hacking group sent an email to the bank, disguising themselves as a potential job applicant. Enclosed within the email was a seemingly innocent CV and cover letter embedded with malware.

Cybersecurity officials familiar with the issue noted that the malware used in this breach had similar signatures as the Sony Hack in 2014, suggesting that the Lazarus Group was behind the attack.

Hacker GroupLazarus Group
TargetBangladesh Bank
Method UsedRansomware
Puzzle of the national flag of Bangladesh intertwined with an American banknote
Like many countries, Bangladesh uses the U.S. dollar as a reserve currency.


WannaCry Ransomware Attack (2017)

On May 12, 2017, the WannaCry ransomware infiltrated systems in 150 countries. It targeted both individuals and large organizations like FedEx, Boeing, and Brittain’s National Health Service. Even China and Russia, historically seen as North Korea’s allies, were not immune to the attack.

In China, it hit unsuspecting university students. With vital assignments on the line, they shelled out $300 to $600 to reclaim access to their devices. Meanwhile, Russia’s Interior Ministry bore the brunt of the assault, with approximately 1,000 computers held hostage.

The WannaCry attack exploited a weakness in one of the most widely used operating systems, Microsoft Windows. Propagated through automated spreading, the ransomware swiftly circumnavigated the world within hours. To begin the attack, hackers enticed unwitting victims with phishing emails, creating a domino effect. Once the ransomware infected a computer, it encrypted the user’s files and demanded a Bitcoin payment.

Interestingly, cybersecurity experts noticed the hackers designed the ransomware with a kill switch which may suggest an intention to control the impact. Nonetheless, countless users funneled money into the hackers’ accounts as a result of the attack.

While the heist was perpetrated by more than one person, the FBI only identified Park Jin Hyok as a definite culprit. However, he remains at large.

HackerPark Jin Hyok
Target150 countries
Method UsedRansomware
WANTED posting by the FBI featuring Park Jin Hyok
North Korean operative Park Jin Hyok nearly succeed in stealing $1B from Bangladesh Bank.

©FBI / public domain – License

Crypto Theft (2022)

According to Chainalysis, hackers from the hermit kingdom stole almost $2 billion of cryptocurrency in 2022. While this estimate includes damages from multiple attacks, experts believe the following groups are involved:

  • Lazarus Group
  • Andariel Group
  • ScarCruft
  • APT37
  • APT38
  • Bluenoroff
  • Kimsuky
  • DarkHotel

These groups employ a variety of tactics, but they recently pioneered a new tactic dubbed “supply chain attack.” Instead of attacking digital currency firms, they are now going after companies like JumpCloud, which creates software that digital currency firms use. By attacking these service providers, hackers can access a larger group of victims with less work. In a sense, North Korean hackers have found a way to scale their efforts effectively.

This type of attack raises significant concerns because cryptocurrency is more difficult to trace and track. With traditional banks, transactions are subject to regulatory oversight, making it easier to identify and prevent fraudulent activities. However, the uncontrolled nature of cryptocurrencies can enable cybercriminals, including North Korean hackers, to operate with greater anonymity.

Hacker GroupMultiple
Method UsedSupply chain attack
North Korean hacker stealing crypto currency
North Korea frequently uses Bitcoin to evade sanctions and fund illicit activities.


The History of North Korea

Prior to WWII, Japan controlled the entire Korean peninsula. However, as Japan surrendered to the Allied forces in 1945, the Korean peninsula was split in two. The Soviet Union supported the North and the United States supported the South.

The division was intended to be temporary. However, the USSR was determined to establish a communist state in the North, while the U.S. assisted in establishing a democracy in South Korea. Since neither state was willing to yield to the other, the temporary division endured, ultimately leading to a lasting situation.

The first leader of North Korea, Kim Il-sung, was hand-picked by the Soviets, beginning a dynasty that has continued through three generations. To maintain a grip on power, every generation has restricted the movement of its citizens to prevent the spread of information about the outside world. Additionally, leaders have employed extensive propaganda tactics to brainwash the population into believing their leaders are god-like beings.

Future Outlook

Despite being underestimated by some, North Korea has proven its hacker groups possess an impressive capacity for ingenuity in executing their strategies. As financial technologies evolve, it’s likely that they will continue to innovate, creating more sophisticated methods to accomplish their objectives.

Kim Jon-un currently controls the government of North Korea and oversees all its endeavors, including the activities of his cyber attackers. Guided by his leadership, these hackers have pursued dual objectives: to steal money and information.

Although it’s more challenging to quantify the effect of stolen information, it is nonetheless worrisome that sensitive information such as blueprints to missiles could fall into the hands of these hackers, potentially compromising global stability.

Up Next:

Discover the 5 Worst North Korean Hacks FAQs (Frequently Asked Questions) 

What does APT stand for?

In the context of cybersecurity, APT stands for Advanced Persistent Threat. It’s a term often used to describe a criminal organization.

What are digital backdoors?

A digital backdoor is a specific type of malware that provides unauthorized access to a system. It is designed to create a hidden or secret pathway into a system, allowing the attacker to gain entry without going through an authentication process.

What is malware?

Malware is malicious software designed to infiltrate a computer system.

What is ransomware?

Ransomware is a type of malware. It encrypts a victim’s files or locks them out of their system, demanding a ransom payment in exchange for restoring access or providing a decryption key. Even if the ransom is paid, there is no guarantee the user will get their system back.

To top