North Korean cyber operatives heavily targeted South Korea’s defense industry and information technology (IT) sector last year, pilfering significant amounts of sensitive data. The hackers also stole approximately 2 trillion KRW (about 1.36 billion USD) in cryptocurrency, marking the largest heist on record.
Intelligence officials confirmed that these cyber actors employed advanced tactics, including using deepfake technology to participate in video interviews and remotely wiping smartphones to cover their tracks.
The National Intelligence Service’s Cyber Security Center released its 2025 Annual Report on May 10, revealing that North Korea focused its efforts on stealing domestic industrial technology, particularly in the defense and IT sectors, throughout the previous year.
During this period, the hackers managed to siphon over 2 trillion KRW (about 1.36 billion USD) from both domestic and international cryptocurrency platforms, setting a new record for their illicit gains.
North Korean cyber teams employ sophisticated laundering techniques for the stolen cryptocurrency, initially extracting funds from digital wallets through phishing scams or malware. They then fragment the coins into smaller amounts, effectively obscuring the transaction trail.
Blockchain analytics firm Chainalysis reported that North Korean-linked hacker groups utilized more than 12,000 unique wallet addresses in their virtual asset laundering operations.
The hackers disseminated malicious apps disguised as legitimate Kakao security files or document viewers Apple applications through official app stores and email channels.
Once installed, these malicious apps intercepted call logs and text messages. The National Intelligence Service strongly advised users to avoid downloading apps from unofficial sources and to immediately terminate any app requesting unnecessary permissions.
Domestic companies suffered significant breaches due to attacks targeting software supply chains. North Korean operatives exploited vulnerabilities in three types of widely-used document management solutions to create administrator accounts and exfiltrate data.
The scope of sensitive information compromised during these attacks is estimated to range from 700 to 2.6 million cases, depending on the specific product targeted.
The medical and biotech sectors also saw a surge in attacks. In March of last year, the National Intelligence Service uncovered evidence of hacking incidents involving centralized document software used by pharmaceutical and diagnostic reagent manufacturers.
Analysts noted a significant uptick in North Korean cyber operations targeting domestic medical and biotech sectors following Pyongyang’s declaration of 2025 as the Year of Health Revolution in its push to modernize healthcare facilities.
The hackers’ methods have evolved, with one particularly concerning tactic involving the use of deepfake technology to impersonate job applicants during video interviews.
North Korean operatives have been known to steal identities, apply for jobs at target companies, and use deepfake technology to alter their appearance during real-time video interviews, successfully deceiving hiring managers.
To evade detection, these hackers have also resorted to remotely wiping victims’ smartphones. When a hacking attempt is discovered or law enforcement begins tracking their activities, the operatives initiate device resets to disrupt investigations.
The National Intelligence Service projects that the rapid advancement of artificial intelligence (AI) technologies, coupled with an increasingly unstable global geopolitical landscape, will likely intensify cyber warfare in the coming year.
The National Cyber Security Center warns that as international security variables multiply, including North Korea’s upcoming 9th Party Congress and the U.S.’s new national security strategy, it can expect a rise in indiscriminate and sophisticated hacking attempts.
The agency further cautioned that the integration of AI throughout the hacking process could lead to a constant evolution of cyber attack methods, potentially causing severe disruptions to national security and corporate operations.