DPRK Cyber Actor and IT worker ties to UN Designated Entities

(Source: MSMT)

  • Nearly all DPRK cyber units and overseas IT workers identified in this report operate under or in support of UN-designated DPRK entities, including the Reconnaissance General BureauMinistry of National DefenseMinistry of Atomic Energy Industry, and the Munitions Industry Department, as well as the Korean Workers’ Party, which is subject to an assets freeze.

  • DPRK cyber actors and IT workers deployed abroad typically function through front companies that publicly represent these state entities. These front companies facilitate sanctions-violating activities—such as IT services, procurement, and money laundering—on behalf of UN-designated DPRK entities, activities that UN Member States are obligated to prevent.

Organization and Units Overview

  • Reconnaissance General Bureau (KPe.031)

    정찰총국 aka: KPA UNIT 586

    RGB, designated by UNSCR 2270 (2016), is the DPRK’s primary foreign intelligence organization and exercises command and control over its most capable cyber units.

    The RGB has used front companies to conduct illicit activities, including arms trade and procurement, most notably the UN-designated Green Pine Associated Corporation (KPe.010).

    The RGB maintains a long-standing relationship with Moranbong University, which supplies highly selected graduates—often with elite social connections—to staff RGB cyber units.

  • Ministry of State Security

    국가보위성

    Scarcruft (APT37) conducts espionage operations targeting the North Korean defector community, human rights organizations, and the ROK government, while also carrying out remote IT work alongside malicious cyber activities.

    The Pyongyang Information Technology Bureau (PITB, 평양정보기술국) was previously identified as an overseas IT worker entity operating under the Science and Education Department of the Korean Workers’ Party Central Committee.

    In 2023, former PITB personnel based in Laos were transferred to the MSS to support the expansion of DPRK overseas IT work operations.

  • Ministry of National Defense (KPe.054)

    국방성

    Bureau 53 (Department 53) sells advanced conventional weapons and military-grade communications equipment and generates revenue through front companies across multiple sectors, including IT and software development.

    Department 61 of the MND serves as the controlling organization of the Chinyong Information Technology Cooperation Company.

  • Munitions Industry Department (KPe.028)

    군수공업부

    MID was designated by UNSCR 2270 (2016) for its role in the DPRK’s unlawful ballistic missile and nuclear programs.

    The 313 General Bureau operates under the MID and was established in early 2015 following the reorganization of the Korea Computer Center (KCC), which also involved the transfer of personnel to the Pyongyang Information Center, later renamed the Pyongyang Information Technology Bureau.

    Subsequently, the KCC was reconstituted as the State Information Technology Bureau (국가정보기술국), also known as the Informatization Bureau (정보화국) and the Informatization Guidance Bureau (정보화지도국).

  • Ministry of Atomic Energy and Industry (KPe.027)

    원자력공업성

    MAEI was designated by UNSCR 2270 (2016) for its critical role in the DPRK’s unlawful nuclear weapons program, including day-to-day management and oversight of the nuclear research center at Yongbyon.

    MAEI 607 Management Office as the entity operating the Korea Mangyongdae Computer Technology Corporation (KMCTC, 조선만경대컴퓨터기술회사).

    The KMCTC employs DPRK freelance IT worker teams overseas, mainly in Shenyang and DandongChina, and is headed by DPRK official U Yong Su.

  • Office 39 (KPe.030)

    당39호실

    Office 39 of the Korean Workers’ Party, designated by UNSCR 2270 (2016), is a secretive DPRK entity responsible for managing foreign currency, conducting illicit economic activities, and generating revenue for the leadership.

    Kyonghung IT Exchange Company has been found to operate on behalf of Office 39, including through DPRK IT worker delegations based in Dandong, China.

  • Ministry of Public Security/Ministry of Social Safety

    사회안전성

    Amnokgang Technology Development Corporation (Yalu River Technology Development Company, 압록강기술개발회사) operates under the DPRK Ministry of Public Security, now known as the Ministry of Social Safety, and has been previously identified by the ROK and the UN 1718 Committee Panel of Experts.

    The company operates DPRK IT worker teams and conducts illicit procurement through overseas networks to acquire and sell commercial and military technologies.

Names of Units & Key Cyber Activities

Park Jin Hyok

RGB Cyber Actor

Source: FBI.

Park Jin Hyok is a US-indicted, state-sponsored North Korean programmer linked to the Reconnaissance General Bureau, accused of orchestrating large-scale cyber intrusions and theft of fiat and virtual currency as part of the Lazarus Group/APT38 network.

Arrest warrants and charges

  • June 8, 2018: U.S. federal arrest warrant issued for conspiracy to commit wire fraud and computer intrusion.

  • December 8, 2020: Superseding arrest warrant issued by the U.S. District Court (Central District of California), charging conspiracy to commit wire fraud, bank fraud, and computer fraud.

<Elliptic> DPRK Surpasses $2 Billion in Crypto Theft in 2025, Led by the $1.46B Bybit Hack and Advanced Laundering Tactics

January 6, 2026 (*The article was published by Elliptic on October 7, 2025)

<Summary>

  • Elliptic reports that DPRK-linked hackers have already stolen over $2 billion in cryptocurrency in 2025.

  • This figure includes more than thirty additional hacks attributed to the DPRK, notably incorporating the February 2025 $1.46 billion theft from Bybit, demonstrating a sustained operational tempo rather than isolated incidents despite increased global awareness and defensive measures.

  • A growing share of victims now includes high-net-worth individuals, reflecting a strategic pivot toward personally targeted theft rather than exclusively exploiting exchanges or on-chain protocols.

  • The campaign shows a clear rise in social engineering attacks, marking a shift from earlier attacks where technical flaws in smart contracts or infrastructure were the primary attack vectors.

  • Post-theft laundering strategies have become increasingly sophisticated and layered, involving repeated mixing, cross-chain transfers, obscure blockchains, and the exploitation of “refund addresses” to redirect assets to fresh wallets, reducing traceability and investigative visibility.

December 31, 2025 (*The article was published by Chainalysis on October 1, 2025)

<Chainalysis>From Fake IT Jobs to Fiat Cash: Mapping the DPRK IT Worker Crypto Laundering Network

  • DPRK IT workers generate cryptocurrency revenue by infiltrating global IT jobs, often being paid in stablecoins that are attractive to OTC traders as an off-ramp to fiat, with funds ultimately financing North Korea’s weapons programs.

  • Sanctions and enforcement actions target key facilitators, including the OFAC-designated Sim Hyon Sop (a Korea Kwangson Banking Corp rep who received tens of millions in DPRK IT worker crypto) and Lu Huaying, a Chinese OTC trader based in the UAE sanctioned for laundering DPRK IT worker proceeds.

  • DPRK IT workers are deployed via front companies such as Chinyong Information Technology Cooperation Company, sanctioned by OFAC and the Republic of Korea for employing DPRK IT labor overseas, and they use obfuscation techniques (VPNs, fake IDs) to conceal their identities.

  • After receiving stablecoin payments, DPRK IT worker funds are laundered through methods like chain-hopping, token swaps, and mixing, then consolidated and moved through intermediaries—including accounts tied to Kim Sang Man, a DPRK national and representative of Chinyong Information Technology Cooperation Company, Sim Hyon Sop, and OTC facilitator Lu Huaying—before conversion to fiat.

    Read the full report in Japanese (北朝鮮IT労働者による暗号資産マネーロンダリングネットワークの内幕)

Who is Sim Hyon Sop?

  • Sim Hyon-Sop has allegedly played a central role in North Korea’s counterfeit cigarette trade since at least 2009, using front companies, false shipping records, and bulk cash payments to evade US sanctions.

  • Between 2021 and 2023, he and co-conspirators imported tobacco into the DPRK and laundered US dollar payments, with proceeds benefiting the regime’s WMD programs.

  • Us authorities charged Sim with conspiracy to violate the IEEPA, bank fraud, and money laundering, issuing an arrest warrant in 2023 and indictments in 2025.

  • On July 24, 2025, the U.S. State Department is offering up to $7 million for information leading to his arrest or conviction; notably, on April 26, 2023, it had already announced a reward of up to $5 million for information related to his alleged sanctions evasion involving illicit tobacco trade and money laundering.

Source:

US DOJ Civil Forfeiture Complaint

April 26, 2023: Reward of up to USD 5 million

US State Dept offers rewards for info leading to arrests of 3 transnational criminals

FBI Wanted Poster (archived) SIM HYON-SOP - FBI

July 24, 2025: Reward increased to up to USD 7 million

Sim Hyon-Sop - United States Department of State

Reward Poster in English

Reward Poster in Korean

December 18, 2025

<TRM> DPRK and the Industrialization of Crypto Theft: How a Single State Actor Dominated Global Hack Losses in 2025

  • Cryptocurrency theft has become industrialized
    The DPRK has systematized crypto theft into a repeatable and organized operation, combining cyber units, overseas IT workers, and laundering intermediaries rather than relying on isolated hacks.

  • North Korea linked to the majority of global crypto hack losses in 2025
    In 2025, more than USD 2.7 billion was stolen in cryptocurrency hacks worldwide, and well over half of that total was linked to a single nation-state actor: North Korea, according to TRM Labs.

  • Fewer incidents, larger returns
    DPRK-linked operations increasingly focus on high-value compromises, allowing outsized returns from a smaller number of attacks rather than frequent low-impact exploits.

  • Human and organizational access is central
    TRM Labs highlights the DPRK’s reliance on people-and-platform compromise, including embedded IT workers, impersonation, and abuse of internal trust at crypto-related firms.

  • “Chinese Laundromat” as the off-chain exit mechanism
    Stolen funds ultimately move into a Chinese-language laundering ecosystem, where intermediaries coordinate via WeChat and conduct off-chain settlement into Chinese yuan (CNY) or goods, marking the point at which assets leave the blockchain.

Source: DPRK Monitor.

December 18, 2025

<Chainalysis>2025 Crypto Theft Trends: DPRK Sets New Records With Fewer Attacks

  • North Korean hackers stole $2.02 billion in cryptocurrency in 2025, a 51% year-over-year increase, pushing their all-time total to $6.75 billion despite fewer attacks.

  • The DPRK is achieving larger thefts with fewer incidents, often by embedding IT workers inside crypto services or using sophisticated impersonation tactics targeting executives.

  • The DPRK shows clear preferences for Chinese-language money laundering services, bridge services, and mixing protocols, with a 45-day laundering cycle following major thefts.

  • Individual wallet compromises surged to 158,000 incidents affecting 80,000 unique victims in 2025, though total value stolen ($713M) decreased from 2024.

  • Despite increased Total Value Locked in DeFi, hack losses remained suppressed in 2024-2025, suggesting improved security practices are making a meaningful difference.

    Read the full report in Japanese (北朝鮮による暗号資産窃取、年間で過去最高の20億ドルに)

August 8, 2025

Old Game, New Name: Sobaeksu and DPRK’s WMD Legacy

The US government has recently designated the Korea Sobaeksu Trading Company (Sobaeksu) for asset freezing, citing its involvement in foreign currency-generating activities conducted by DPRK IT workers.

However, by examining past DPRK Panel reports, it becomes clear that Sobaeksu is in fact connected to companies previously involved in WMD development—namely, NAMCHONGANG TRADING CORPORATION (NCG) and KOREA MINING DEVELOPMENT TRADING CORPORATION (KOMID).

Sobaeksu

朝鲜小白水联合会社

Namchonggang

KOMID

Yun Ho-Jin

Source: DPRK NM Inventory Safeguards Agreement - 4 May 1992 by IAEA Imagebank by Flicker (Edited by DPRK Monitor).

NCG was previously engaged in North Korea’s nuclear development, particularly in procurement related to uranium enrichment, while KOMID was involved in missile transactions. These DPRK entities linked to the development and sale of WMDs have continued their operations under different names.

The Panel’s investigations (S/2017/150, paras.155-158) have revealed the evolution of these entities through the following findings:

  • UNSCR 2270 (2016) pointed out that NCG had changed its name to Namhung Trading Corporation (Namhung).

  • A review of corporate information registered in China shows that Namhung and the Beijing office of Sobaeksu shared the same address.

  • The representative of Sobaeksu’s Beijing office is Yun Ho-Jin, who was formerly the head of NCG. Yun Ho-Jin (윤호진 in Korean, 尹浩真 in Chinese) is listed under UN sanctions and is a former DPRK diplomat who was involved in uranium enrichment-related procurement at least as far back as the 1990s. His name is currently registered as the representative of Sobaeksu’s Beijing office.

  • Kim Chol Nam (김철남 in Korean, 金哲南 in Chinese), listed as a director of Sobaeksu’s Dandong office, is also registered as the representative of Korea Changgwang Trading Corporation in Beijing. Past Panel investigations have confirmed that Korea Changgwang Trading Corp is an alias for KOMID.

August 3, 2025

Part of DPRK’s Hard Currency Network

While the US has imposed sanctions on DPRK’s activities in Southeast Asia, the UN Security Council DPRK Panel of Experts (POE) report—covering the newly sanctioned individuals Kim Se Un and Sobaeksu—offers key new information. DPRK Monitor shares additional context below.

DPRK individuals operate or control multiple registered entities in various countries and engage in several distinct areas—including IT, trading, finance, and, in some cases, money laundering, military logistics, or procurement. These individuals often obtain passports from host countries or assume foreign identities to travel across multiple jurisdictions—thereby enhancing both their mobility and concealment.

Kim Se Un

김 세 운

Date of Birth: 25 March 1978

Passport: Passport 390120007 (DPRK) issued 09 Jan 2020 expires 09 Jan 2025 (individual)

According to the US State Department, Kim Se Un is a North Korean representative of Korean Sobaeksu Trading Company (Sobaeksu) and was involved in a scheme from April 2021 to June 2023 to smuggle tobacco into DPRK and pay in US dollars, violating US sanctions. The operation used false shipping records and bulk cash to evade restrictions.

From Vietnam to Cambodia — A Wider Web

In the past, Kim Se Un also registered company in Cambodia. According to the POE report (S/2023/171, paras.155-157), Kim was the director of the Cambodia-based company U.J Import Export Co., Ltd (struck off by Cambodian authorities in December 2019, Figure 1).

Cooperated with Ri Chol Nam

Moreover, the POE reported Kim cooperated with Ri Chol Nam (리철남) (Figure 2,3), who was involved in money laundering, brokering sales of weapons, diamonds, and gold, and other illicit financial activities linked to the DPRK. Ri also engaged in potential sales of military-related equipment, including bulletproof vests acquired from third countries for resale.

The Expanding DPRK Network: Who’s Next?

DPRK Monitor will update Kim Se Un’s network!

Figure 1

Source: Cambodian corporate registry (Edited by DPRK Monitor).

Figure 2

Source: DPRK Monitor.

Figure 3

Source: DPRK POE S/2023/171, annex 85.
Source: Maltego Graph Visualization (annotated by DPRK Monitor).

Use of AI by DPRK

DPRK IT workers may use AI-generated fake ID during job interviews. A report by cyber security company also indicate their use of real-time deepfake technology. The most effective detection method is passing a hand over the face, which disrupts facial landmark tracking. Other recommended techniques include:

  • Rapid head movements

  • Exaggerated facial expressions

  • Sudden lighting changes

Companies are advised to adopt layered detection strategies in coordination with their information security teams. Below is an example of DPRK tactics.

Source: KnowBe4.

The picture (right) is an AI-enhanced version of the person who we interviewed during the hiring process, where the applicant’s face was added over a completely different unrelated person’s “stock photography” picture (left) so they looked more professional with glasses and wearing formal work attire.”

Source: KnowBe4, “North Korean Fake Employees Are Everywhere! How to Protect Your Organization” (Annotated by DPRK Monitor)