We are vigilant about DPRK activities.
Catch Up on the Latest Highlights
April 11, The Loyalty Trap: "Kim Jong Un Test" Used to Identify DPRK IT Infiltrators
Feb 21, Analytical Brief: Profile of Sim Hyon-sop, Based on Former DPRK Diplomatic Testimony
Feb 7, Part 4: The Kyunghyang Shinmun’s Special Series on the One-Year Anniversary of DPRK Deployment to Russia
Jan 25, Why Radio Free Asia’s Return Matters: Must-Read by a Fulbright Scholar & DPRK defector from The Diplomat.
Jan 12, 3PM-, Rollout Event of MSMT (Multilateral Sanctions Monitoring Team) at UNHQ
UN Web TV link here!https://webtv.un.org/en/asset/k1t/k1tjrc6a8a
DPRK Cyber Apparatus Update! Key State-Linked Entities and Overseas IT Operations. See
Blockchain analytics firms conclude that the DPRK has industrialized crypto theft in 2025—setting record losses through fewer but larger attacks, anchored by the $1.46B Bybit hack and increasingly sophisticated laundering pipelines. Read reports
February 21, 2026
Analytical Brief: Profile of Sim Hyon-sop Based on Diplomatic Testimony
This report highlights the information provided by Ryu Hyun-woo (류현우), a former DPRK Ambassador to Kuwait, regarding the high-profile North Korean financial operative Sim Hyon-sop.
The report outlines the physical characteristics, professional history, and current whereabouts of Sim Hyon-sop, a key figure linked to DPRK sanctions evasion. The testimony provides a rare personal look into Sim’s operational methods in the UAE, his character traits as a trusted financial "fixer" for the regime, and his reported relocation to the Sino-Korean border.
Source:DOS
January 30, 2026
DPRK Monitor intends to introduce a special report series by the South Korean newspaper The Kyunghyang Shinmun (경향신문), marking the one-year anniversary of the North Korean troop deployment to Russia. This series will be presented in several parts.
Part 1 examines the high level of proficiency among North Korean soldiers and their rapid adaptation to drone warfare—a combat environment previously unfamiliar to them.
"They Were Like 'Terminators': Crawling 1.8km for a 50m Surprise Attack" (Jaunuary 20, 2026)
This report details the tactical integration and combat effectiveness of the 13,000 North Korean troops deployed to Russia’s Kursk region. Initially vulnerable to modern electronic and aerial warfare, the DPRK forces have shown a remarkably steep learning curve, evolving into a highly disciplined and specialized force within months. The analysis suggests that the DPRK's involvement has transitioned from mere troop provision to a deep "blood alliance" with Russia, fundamentally altering the security dynamics of both Eastern Europe and the Korean Peninsula.
Summary
• Deployment Timeline: Following a military treaty in June 2024, approximately 13,000 DPRK soldiers arrived in Vladivostok in October and were positioned on the Kursk front by December 2024.
• Rapid Tactical Evolution: While initially struggling against drone-heavy environments, DPRK units adapted within 2–3 months, successfully implementing flank attacks and their own drone operations.
• Elite Combat Proficiency: Members of Ukraine’s 225th Independent Assault Battalion report that DPRK soldiers have demonstrated extreme stealth and discipline, such as crawling 1.8km to launch a surprise raid from only 50 meters away.
• "Terminator" Psychology: Russian prisoners of war (POWs) describe the North Koreans as exceptionally strong. Notably, DPRK soldiers frequently choose self-detonation/suicide over capture, a fanaticism that has shocked Ukrainian personnel.
• Internal Tensions: Drone footage has confirmed instances of armed friction and firefights between Russian and North Korean soldiers, indicating underlying command and control friction.
• Strategic Impact: The deployment is characterized as a "God’s Move" for Russia, providing critical engineering, mine clearance, and frontline infantry support that has resulted in a "painful loss" for Ukrainian momentum.
• Geopolitical Shift: The relationship between Moscow and Pyongyang has solidified into a "blood alliance," raising concerns that this combat experience will significantly enhance the DPRK’s military capabilities back on the Korean Peninsula.
(Summarized by DPRK Monitor)
January 6, 2026 (*The article was published by Elliptic on October 7, 2025)
<Elliptic> DPRK Surpasses $2 Billion in Crypto Theft in 2025, Led by the $1.46B Bybit Hack and Advanced Laundering Tactics
<Summary>
Elliptic reports that DPRK-linked hackers have already stolen over $2 billion in cryptocurrency in 2025.
This figure includes more than thirty additional hacks attributed to the DPRK, notably incorporating the February 2025 $1.46 billion theft from Bybit, demonstrating a sustained operational tempo rather than isolated incidents despite increased global awareness and defensive measures.
A growing share of victims now includes high-net-worth individuals, reflecting a strategic pivot toward personally targeted theft rather than exclusively exploiting exchanges or on-chain protocols.
The campaign shows a clear rise in social engineering attacks, marking a shift from earlier attacks where technical flaws in smart contracts or infrastructure were the primary attack vectors.
Post-theft laundering strategies have become increasingly sophisticated and layered, involving repeated mixing, cross-chain transfers, obscure blockchains, and the exploitation of “refund addresses” to redirect assets to fresh wallets, reducing traceability and investigative visibility.
December 31, 2025 (*The article was published by Chainalysis on October 1, 2025)
<Chainalysis> From Fake IT Jobs to Fiat Cash: Mapping the DPRK IT Worker Crypto Laundering Network
<Summary>
DPRK IT workers generate cryptocurrency revenue by infiltrating global IT jobs, often being paid in stablecoins that are attractive to OTC traders as an off-ramp to fiat, with funds ultimately financing North Korea’s weapons programs.
Sanctions and enforcement actions target key facilitators, including the OFAC-designated Sim Hyon Sop (a Korea Kwangson Banking Corp rep who received tens of millions in DPRK IT worker crypto) and Lu Huaying, a Chinese OTC trader based in the UAE sanctioned for laundering DPRK IT worker proceeds.
DPRK IT workers are deployed via front companies such as Chinyong Information Technology Cooperation Company, sanctioned by OFAC and the Republic of Korea for employing DPRK IT labor overseas, and they use obfuscation techniques (VPNs, fake IDs) to conceal their identities.
After receiving stablecoin payments, DPRK IT worker funds are laundered through methods like chain-hopping, token swaps, and mixing, then consolidated and moved through intermediaries—including accounts tied to Kim Sang Man, a DPRK national and representative of Chinyong Information Technology Cooperation Company, Sim Hyon Sop, and OTC facilitator Lu Huaying—before conversion to fiat.
Source: Chainalysis, DPRK IT Workers: Inside North Korea’s Crypto Laundering Network, 1 October 2025.
Source: DOS
December 18, 2025
<TRM> DPRK and the Industrialization of Crypto Theft: How a Single State Actor Dominated Global Hack Losses in 2025
<Summary>
Cryptocurrency theft has become industrialized
The DPRK has systematized crypto theft into a repeatable and organized operation, combining cyber units, overseas IT workers, and laundering intermediaries rather than relying on isolated hacks.North Korea linked to the majority of global crypto hack losses in 2025
In 2025, more than USD 2.7 billion was stolen in cryptocurrency hacks worldwide, and well over half of that total was linked to a single nation-state actor: North Korea, according to TRM Labs.Fewer incidents, larger returns
DPRK-linked operations increasingly focus on high-value compromises, allowing outsized returns from a smaller number of attacks rather than frequent low-impact exploits.Human and organizational access is central
TRM Labs highlights the DPRK’s reliance on people-and-platform compromise, including embedded IT workers, impersonation, and abuse of internal trust at crypto-related firms.“Chinese Laundromat” as the off-chain exit mechanism
Stolen funds ultimately move into a Chinese-language laundering ecosystem, where intermediaries coordinate via WeChat and conduct off-chain settlement into Chinese yuan (CNY) or goods, marking the point at which assets leave the blockchain.Source: TRM, North Korea and the Industrialization of Cryptocurrency Theft, 2025-12-18.
December 18, 2025
<Chainalysis>2025 Crypto Theft Trends: DPRK Sets New Records With Fewer Attacks
Larger thefts with fewer attacks: DPRK cyber actors stole $2.02B in crypto in 2025 (+51% year-over-year), pushing lifetime totals to $6.75B, despite a decline in the number of incidents.
Evolved intrusion tactics: Major thefts increasingly rely on embedded IT workers within crypto firms and high-end impersonation of executives, enabling outsized breaches.
Systematic laundering networks: Stolen assets are funneled through Chinese-language laundering services, cross-chain bridges, and mixers, typically completing laundering within ~45 days.
Mixed security outcomes: Individual wallet compromises surged in volume, but overall DeFi losses remained contained in 2024–2025, suggesting improving platform-level security is mitigating large-scale hacks.
Source: Chainalysis, North Korea Drives Record $2 Billion Crypto Theft Year, Pushing All-Time Total to $6.75 Billion.
November 17, 2025
By the end of 2025, the aggressor state Russia plans to involve about 12 thousand North Korean workers to work at enterprises in the special economic zone “Alabuga” in Tatarstan.
It is in “Alabuga” that long-range drones of the Shaded/Geran type are manufactured, which the Russian army uses to carry out terrorist strikes on Ukraine’s civilian infrastructure.
To discuss the details of the sale of labor, at the end of October, a meeting was held at the Russian Ministry of Foreign Affairs between local officials and representatives of the DPRK company Jihyang Technology Trade Company, responsible for the search and selection of Korean workers.
The imported workforce is promised to be paid about 2.5 US dollars per hour of work, and the shift for workers will last at least 12 hours.
Source: Telegram.October, 2025
<Summary>
A Conflict Armament Research (CAR) field investigation team documented a North Korean–manufactured submunition recovered by Ukrainian authorities after a 23 September 2025 attack on Kherson. The device had been refitted for delivery by a weaponised first-person-view (FPV) UAV, illustrating a growing convergence between DPRK-origin legacy munitions and improvised Russian battlefield innovation.
Confirmed DPRK Origin
Submunition bears Korean markings, indicating production year Juche 89 (2000).
Ukrainian authorities have found additional DPRK submunitions dated Juche 89–99 (2000–2010).
Identified as a DPRK-produced copy of the US M42 High-Explosive, Dual-Purpose (HEDP) submunition.
Modification for UAV Deployment
Original arming and stabilization ribbon system removed.
Replaced with a 3D-printed detonator holder and an electric detonator inserted via a drilled lateral hole.
Battlefield Implications
Demonstrates integration of legacy DPRK cluster submunitions into modern FPV UAV strike systems.
Reflects a broader trend: conventional munitions + improvised UAV delivery mechanisms used to achieve precision, low-cost anti-armor effects.
CAR notes increased use of 3D-printed components and improvised electronics in Russian and Ukrainian FPV systems.
Source: CAR.October 22, 2025
MSMT Releases Second Report Detailing DPRK Cyber and IT Worker Operations
<Summary>
DPRK operates a full-spectrum cyber army, rivaling China and Russia, to steal crypto and fuel its illicit WMD and missile programs—all under UN-designated entities such as the Reconnaissance General Bureau (KPe.031), Ministry of National Defense (KPe.054), Ministry of Atomic Energy and Industry (KPe.027), Munitions Industry Department (KPe.028), Office 39 (KPe.030), and the Second Academy of Natural Sciences (KPe.018).
Massive crypto heists drive Pyongyang’s revenue engine:
• $1.19B stolen in 2024
• $1.65B stolen from Jan–Sep 2025, dominated by the $1.4B Bybit mega-hack.Global laundering pipelines: DPRK actors clean stolen crypto through services operating in China, Russia, Argentina, Cambodia, Vietnam, and UAE, before converting to fiat to support prohibited procurement.
Stablecoins as sanctions-evasion tools: DPRK entities—including Korea Mining Development Trading Corporation (KOMID) (KPe.001)—used cryptocurrency in arms transactions and procurement of raw materials such as copper for munitions production.
Widespread illicit IT-worker deployments (violating UNSCRs):
• IT workers found in China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria, Tanzania
• 1,000–1,500 based in China
• Plans to dispatch 40,000 laborers to Russia, including IT teams
• Foreign facilitators supporting them in Japan, Ukraine, UAE, and the United States.China as the operational backbone:
• DPRK depends on Chinese IT infrastructure, banks, and OTC brokers
• At least 15 Chinese banks used for laundering IT and cyber-heist proceeds
• Identities of DPRK and Chinese facilitators were already provided to China in 2024.Cyber espionage surge against defense industries:
DPRK cyber units steal sensitive intellectual property and defense technology to advance WMD and missile development, using social engineering, malware, and ransomware, and also target critical infrastructure.All these cyber, laundering, and IT-work operations benefit UN-designated entities:
• Korean Workers’ Party (assets freeze)
• Reconnaissance General Bureau (KPe.031)
• Ministry of National Defense (KPe.054)
• Ministry of Atomic Energy and Industry (KPe.027)
• Munitions Industry Department (KPe.028)
• Office 39 (KPe.030)
• Second Academy of Natural Sciences (KPe.018)
Source: MSMT.August 17, 2025
Radio Free Asia’s 2023 exposé reveals the brutal exploitation of North Korean workers abroad, exposing blatant violations of UN sanctions in Russia.
<Radio Free Asia> 2023-9-20, 당국 외면 속 죽어가는 해외 북 노동자 (Overseas North Korean Workers Dying Amid Government Neglect).
<Summary>
Internal documents from a North Korean construction company operating in Russia, recently obtained by RFA, reveal that during the COVID-19 pandemic, workers who fell ill were denied proper medical care and, with the borders closed, were effectively abandoned in Russia, unable to return home.
Excessive Hours: Workers were forced into grueling construction work, often over 16 hours per day including night shifts.
Lack of Medical Access:
Many workers with serious illnesses (cancer, emphysema, heart disease) were denied hospital care due to high costs.
In extreme cases, workers even pulled out their own teeth because they could not go to hospitals.
Financial Exploitation:
After state deductions, workers kept only $100 a month on average, making it impossible to afford medical bills of $5,000–6,000+.
Neglect by Authorities:
North Korean authorities provided no medical or financial support, especially during the COVID-19 border closures, leaving workers effectively abandoned abroad.
One of the internal documents showing examples of North Korean vernacular
Source: DPRK Panel of Experts repot, S/2024/215, p. 431.August 14, 2025
<BBC> North Koreans Sent to Russia to Work "Like Slaves"
<Summary>
Russia is importing tens of thousands of North Korean laborers to cover war-induced labor shortages-over 10,000 in 2024 and potentially over 50,000 in 2025.
The BBC interviewed six escapees who described:
18-hour workdays, seven days a week.
Hazardous work conditions, often without adequate safety equipment or medical care.
Constant surveillance by North Korean security agent, with workers confined to sites.
Squalid living quarters, including bug-infested shipping containers and unfinished buildings.
Physical abuse when workers fall asleep due to exhaustion.
Most wages are collected by the regime; workers get only a small monthly amount after returning home.
These practices violate UN sanctions and constitute forced labor, reflecting widespread state exploitation.
Source: BBC (Edited by DPRK Monitor).DPRK Monitor exposes more cases of North Korean worker exploitation in Russia (See above article by Radio Free Asia in 2023).
Source: BBC.Useful link on DPRK human rights violations
August 8, 2025
Old Game, New Name: Sobaeksu and DPRK’s WMD Legacy
The US government has recently designated the Korea Sobaeksu Trading Company (Sobaeksu) for asset freezing, citing its involvement in foreign currency-generating activities conducted by DPRK IT workers.
However, by examining past DPRK Panel reports, it becomes clear that Sobaeksu is in fact connected to companies previously involved in WMD development—namely, NAMCHONGANG TRADING CORPORATION (NCG) and KOREA MINING DEVELOPMENT TRADING CORPORATION (KOMID).
Diagram of Links Between Kim Se Un, Sobaeksu, and DPRK WMD programme
Source: Maltego Graph Visualization by DPRK Monitor.July 24, 2025
U.S. Treasury Sanctions North Korean Front Company and Individuals for Sanctions Evasion and Revenue Generation
<Summary>
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the Korea Sobaeksu Trading Company (also known as Sobaeksu United Corporation) and three North Korean individuals—Kim Se Un, Jo Kyong Hun, and Myong Chol Min—for their roles in evading U.S. and UN sanctions and clandestinely generating revenue for the DPRK government.
Key points:
Sobaeksu acts as a front company for the DPRK’s Munitions Industry Department, involved in nuclear and missile development. It sends IT workers overseas (e.g., to Vietnam) and conducts nuclear procurement.
Kim Se Un is a key operator using foreign-based companies to hire North Korean IT workers abroad. A reward of up to $3 million is offered for information leading to his arrest/conviction.
Jo Kyong Hun, based in North Korea, leads Sobaeksu’s IT team and collaborates with Kim on cryptocurrency and financial schemes to support IT operations.
Myong Chol Min, a trade representative, helps facilitate business deals to evade sanctions and import goods (like tobacco) into North Korea. He is also subject to a $3 million reward offer.
July 20, 2025
Source: The MSMT.
MSMT Unveils Evidence of Sanctions‑Violating DPRK–Russia Military Ties at UN Briefing
<Summary>
On July 17, 2025, the Multilateral Sanctions Monitoring Team (MSMT) held a formal briefing at the United Nations Headquarters in New York to present its first report, titled “Unlawful North Korea–Russia Military Cooperation.” (The report released on May 29, 2025 is available in English, Spanish, French, Russian, Chinese, and Arabic)
The session was attended by representatives from the 11 MSMT member states—Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, the Republic of Korea, the United Kingdom, and the United States—as well as delegates from over 40 other UN member countries.
The MSMT was established in October 2024 as a successor to the UN Security Council’s Panel of Experts under the 1718 Sanctions Committee, which was disbanded following a Russian veto. Its mandate is to monitor and report on violations and evasions of UN sanctions on DPRK.
According to the US Department of State website, “the MSMT welcomes interest from additional states to participate in the mechanism.”
July 2, 2025
<CNN> 2025-7-2, North Korea sending up to 30k more troops to fight for Russia.
North Korea to send as many as 30,000 troops to bolster Russia’s forces, Ukrainian officials say.
<Summary>
North Korea is reportedly preparing to send 25,000 to 30,000 additional troops to Russia, according to Ukrainian intelligence and corroborated by Western sources.
Around 11,000 North Korean soldiers were secretly deployed to Russia in late 2024. About 4,000 of them were killed or injured in combat, particularly during the defense of Russia’s Kursk region.
Ukrainian assessment states the Russian Ministry of Defense will supply equipment and arms, with the goal of integrating North Korean troops into Russian combat units, including potential involvement in large-scale offensive operations.
Satellite imagery shows troop transport ships and IL-76 cargo planes at Russian and North Korean ports and airports, suggesting preparations for further deployments.
Ukrainian officials and analysts suggest Pyongyang aims to deepen its "blood debt" with Moscow to gain long-term leverage, despite high short-term losses.
(Edited by DPRK Monitor)
June 26, 2025
<MBC> 2025-06-26, 국회 정보위원회 백브리핑 (Background briefing by the National Assembly Intelligence Committee of the ROK).
ROK National Intelligence Service (NIS) Assessment of DPRK-Russia Military Cooperation
Russia may launch a major offensive in July or August.
In October 2023, North Korea deployed 11,000 personnel to Russia, followed by an additional 4,000 troops.
Russia recently announced the deployment of 6,000 military engineers and construction units for reconstruction in Kursk.
NIS believes further deployments could occur as early as July or August, citing past patterns and ongoing recruitment efforts in North Korea.
Russia is believed to have provided economic aid, air defense systems, and electronic warfare equipment, along with technical support for space launch engines, drones, and missile guidance systems.
(Edited by DPRK Monitor)
June 17, 2025
<Комсомольская Правда> 2025-06-17, Шойгу сообщил, что КНДР направит 5000 строителей на восстановление Курской области
Shoigu stated that the DPRK will send 5,000 construction workers to help with the reconstruction of the Kursk region.
May 20, 2025
Source: UN Web TV“The DPRK’s unlawful nuclear weapons and ballistic missiles programs is inextricably linked to the regime’s human rights abuses as the programs are financed through the forced labor of North Korean citizens, at home and abroad.”