Article
Dae Joong Lee1,*
1Graduate School of International Studies, Pusan National University, Geumjeong-gu, Busan, South Korea
Abstract
North Korea’s state-sponsored cyber operations have evolved into a central pillar of its asymmetric strategy and regime survival. This study systematically evaluates the potential trajectories of North Korea’s cyber ecosystem through 2035, utilizing Dator’s Four Alternative Futures framework. The research explores four plausible scenarios: Cyber Leviathan (Growth), Lazarus Unchained (Collapse), Regulated Darknet (Discipline), and Digital Phoenix (Transformation). These futures are structured around critical drivers, including nuclear-missile linkage, international sanctions, and the 2024 Russia-DPRK Comprehensive Strategic Partnership. Drawing on OSINT and UN reports, the analysis reveals that cyber activities, generating an estimated $6.75 billion cumulatively by 2025, have become institutionalized instruments of revenue, deterrence, and strategic coercion. Findings indicate that while “Lazarus Unchained” represents the most destabilizing trajectory due to uncontrolled capability proliferation, “Regulated Darknet” offers the policy-preferred outcome through multilateral deterrence. Ultimately, the study concludes that anticipatory governance and forward-looking analysis are essential to transition from reactive containment toward sustainable digital stability in an increasingly fragmented global security landscape.
Keywords
North Korea, foresight analysis, Lazarus Group, anticipatory governance, asymmetric warfare
Introduction
North Korea occupies a paradoxical position in the global security landscape: it is both an isolated, sanctions-bound state and an increasingly adaptive digital power. For decades, the regime has been framed as a “rogue actor,” “terrorist sponsor state,” and a member of the “Axis of Evil” (Bush, 2002; Litwak, 2000; Manyin et al., 2016). Its persistent pursuit of nuclear weapons and intercontinental ballistic missiles (ICBMs) since the 1990s has entrenched the Korean Peninsula as one of the world’s most militarized and volatile regions (UNSC, 2023). These behaviors have prompted successive waves of multilateral sanctions designed to restrict its economic and strategic options, yet the regime has demonstrated a remarkable ability to innovate under constraint. As Kim (2022) observes, North Korea has systematically transformed technological disadvantage into asymmetric advantage, converting its digital apparatus into what Kim Jong-un himself has termed a “multipurpose weapon” that guarantees the military’s ability to attack relentlessly alongside nuclear weapons and missiles.
In the twenty-first century, North Korea’s adaptive capacity has increasingly manifested in the digital domain, representing a qualitative shift from physical deterrence toward digital coercion. Unlike conventional provocations, cyber operations provide a low-cost, high-impact mechanism for projecting power while minimizing direct military confrontation. As Bruce (2012) observes, early modernization through controlled internal infrastructure established the foundation for an externally aggressive cyber ecosystem. This evolution from administrative digitization has culminated in a globally networked apparatus, epitomized by the Lazarus Group, institutionalized for revenue generation, intelligence collection, and geopolitical signaling (Kshetri, 2021). Consequently, the Lowy Institute Asia Power Index (2024) ranks North Korea seventh in Asia, surpassing major regional powers, while the Belfer Center (2022) positions Pyongyang fourteenth globally, with significant ratings in financial and offensive capabilities (Sharma, 2024). This transition underscores the sophisticated integration of cyber tools into the regime’s broader national security architecture.
North Korea’s state-sponsored cyber operations have become a central pillar of its asymmetric national strategy and survival logic. Facing chronic resource shortages, diplomatic isolation, and sustained sanctions, the regime has increasingly turned to cybercrime, espionage, and digital disruption to sustain both its economy and strategic leverage. These operations, spanning ransomware, cryptocurrency theft, and infrastructure sabotage, illustrate a form of asymmetric power projection in which code, rather than conventional force, is weaponized to offset economic weakness and international marginalization (Rid, 2020; Perlroth, 2021). According to South Korea’s National Intelligence Service (NIS), North Korea’s cybercrime personnel expanded from 6,800 in 2022 to 8,400 by 2024, reflecting a deliberate strategic investment in human capital for digital warfare (NIS, 2024). The UN Panel of Experts estimated that North Korea generated approximately USD 3 billion through cyber operations between 2017 and 2023, funds directly tied to missile and nuclear development, with U.S. Deputy National Security Adviser Anne Neuberger publicly assessing that these cyber-derived revenues fund at least half of North Korea’s nuclear weapons program (Neuberger, 2024).
North Korea’s cyber evolution comprises three distinct phases: Experimentation (2009–2014), Normalization (2015–2017), and Weaponization (2018–2025). The experimental stage featured rudimentary attacks against South Korea and the U.S., marked by traceable operational flaws (Sharma, 2024). The subsequent normalization phase saw the professionalization of units under the Reconnaissance General Bureau. Most recently, the weaponization phase represents the total integration of cyber operations into national economic strategy, specifically targeting cryptocurrency exchanges and decentralized finance. Jun, LaFoy, and Sohn (2015) highlight that such asymmetric capabilities enable Pyongyang to exploit adversary vulnerabilities with minimal escalation risk. This strategy has proven highly lucrative: Chainalysis (2025) reports that North Korean actors stole $2.02 billion in 2025 alone, a 51% increase from the previous year, raising the cumulative theft since 2016 to approximately $6.75 billion. Consequently, cyber-enabled financial crime now serves as a primary pillar of the regime’s strategic and economic resilience.
This study therefore aims to enhance the global community’s capacity to anticipate and respond to such cyber threats by systematically analyzing the evolution and possible futures of North Korea’s hacking ecosystem. Using the Four Alternative Futures foresight framework (Dator, 2009), it explores four plausible trajectories for North Korea’s cyber strategy toward 2035, ranging from continued criminal expansion to potential normalization under a cooperative international order. The theoretical significance of this research lies in its integration of foresight methodology with security studies, addressing a persistent gap in the literature that Kim (2022) identifies as the tendency to analyze individual incidents rather than the structural logic underlying Pyongyang’s cyber strategy.
Methodologically, this study integrates (1) empirical analysis of six major cyber incidents (2014–2025), (2) systemic mapping of organizational interconnections within the RGB and its sub-cells (e.g., Lazarus, APT38, TraderTraitor), and (3) foresight-based scenario building informed by three months of interdisciplinary expert consultations. Through this multi-level approach, the research situates North Korea’s cyber operations within broader academic debates on asymmetric interdependence and authoritarian resilience. The study identifies three primary strategic objectives: offsetting conventional military limitations, inciting social disruption, and generating revenue for regime survival (Kim, 2022). Ultimately, this investigation illuminates how the cyber domain functions simultaneously as a survival mechanism and a disruptive geopolitical force. Aligning with Harold et al. (2022), the study argues that analyzing North Korea’s digital evolution requires a shift from reactive assessments toward anticipatory frameworks capable of projecting how emerging technologies will amplify the regime’s already formidable cyber arsenal.
Literature Reviews and Research Methodology
Literature Review
Existing scholarship provides valuable insights into North Korea’s cyber activities, examining strategic motivations, hacking incidents, and international responses. Research has addressed diverse issues, including cyber deterrence, sanctions evasion, and digital authoritarianism (MOFA, 2025; Baek, 2024). Nevertheless, significant limitations remain. Much of the literature is fragmented, event-driven, and constrained by North Korea’s pervasive secrecy. Empirical analyses frequently focus on specific incidents or forensics, often neglecting the broader structural logic and evolutionary trajectory of Pyongyang’s cyber strategy. Moreover, current studies typically prioritize the effects of cyber operations over the strategic mechanisms that sustain them within the regime’s survival architecture (Roshan, 2025). This study addresses these gaps by synthesizing tactical data into a long-term strategic foresight framework.
Research situates North Korea within the broader literature on asymmetric power, emphasizing how materially weak or sanctioned states leverage digital tools to offset conventional inferiority. Lindsay (2013) and Valeriano & Maness (2015) describe cyber power as an “equalizing potential” that allows small states to challenge major powers without overt escalation. In this context, North Korea’s cyber operations function as a low-cost substitute for kinetic warfare and serve as an instrument of strategic coercion conducted under plausible deniability. Despite chronic infrastructure deficits, empirical evidence shows North Korea has become a formidable cyber actor by exploiting systemic vulnerabilities and the decentralized structure of cyberspace. Scholars argue the regime’s strategy is structurally embedded, employing digital attacks to erode allied military superiority and impose asymmetric costs on adversaries at minimal risk.
North Korea’s cyber trajectory is inseparable from its authoritarian governance model. Bruce (2012) first conceptualized information technology in North Korea as a “double-edged sword” that simulatnously modernized bureaucratic administration while reinforcing ideological control. This aligns with Greitens (2020), who theorizes authoritarian innovation as the strategic adoption of technology to enhance regime durability. Domestically, the Kwangmyong intranet and Koryolink mobile network serve dual purposes of surveillance and elite coordination (Bruce, 2012), fostering a technically skilled cadre later mobilized for offensive operations (Park, 2022).
North Korea’s state-sponsored cyber operations have evolved into a central pillar of its asymmetric national strategy and survival logic. Faced with chronic resource scarcity and diplomatic isolation, the regime has weaponized code to offset economic marginalization (Rid, 2020). This transition is marked by a significant expansion in human capital; according to South Korea’s National Intelligence Service (NIS), North Korea’s cyber personnel grew from approximately 6,800 in 2022 to 8,400 by 2024 (NIS, 2024).
This professionalization facilitates a direct link between digital crime and military expansion. The UN Panel of Experts estimated that the regime generated approximately USD 3 billion through cyber operations between 2017 and 2023, funds inextricably tied to its missile and nuclear programs (UNSC, 2017). This assessment is reinforced by U.S. Deputy National Security Adviser Anne Neuberger, who publicly noted that cyber-derived revenues now fund at least half of North Korea’s nuclear weapons program (Neuberger, 2024).
A growing body of sanctions scholarship highlights cyber-enabled evasion as a frontier in economic statecraft. Stringent sanctions, particularly UN Security Council resolutions 1718, 2375, and 2397, restricted conventional trade, pushing the regime toward cryptocurrencies, ransomware, and remote IT-worker networks (Mallory, 2021; UNSC, 2017). Evidence of state-sponsored digital profiteering is mounting, with cyber theft emerging as a consistent revenue stream for Pyongyang’s weapons programs (Baek, 2024). This shift from politically motivated hacking to profit-driven operations signals a strategic realignment toward fiscal resilience under sanctions. UN Panel of Experts reports estimate that North Korea generated roughly USD 3 billion through cyber operations between 2017 and 2023, funds directly tied to missile and nuclear development (DW.Com, 2024).
Research Purpose and Methodological Framework
This study addresses a critical research gap in cybersecurity scholarship by introducing long-term strategic foresight into a field historically dominated by reactive, incident-based analysis. While existing research provides forensic reconstructions of tactical campaigns, it rarely synthesizes these insights into coherent projections of North Korea’s strategic trajectory. Consequently, this investigation is guided by two central inquiries: (1) the potential level of sophistication and severity of North Korean cyber operations by 2035, and (2) the strategic frameworks necessary for the international community to mitigate these evolving risks.
For analytical precision, this study operationalizes “severity” as the magnitude of systemic disruption across financial, geopolitical, and infrastructural dimensions, while “sophistication” is defined through technical metrics including defense evasion, operational security, and tactical innovation. To navigate the challenges of regime opacity, the research utilizes a qualitative foresight approach grounded in cross-validated open-source intelligence and Dator’s (2009) Four Alternative Futures framework, comprising Continuation, Collapse, Discipline, and Transformation.
The research design adopts a triangulated methodology. First, a longitudinal analysis of six major cyber incidents (2014–2025) establishes a baseline for the regime’s technical maturation and its operational shift toward revenue generation. Second, systemic mapping delineates organizational interconnections between the Reconnaissance General Bureau (RGB), Bureau 121, and specialized sub-cells such as Lazarus, APT38, and TraderTraitor. This mapping situates the cyber apparatus within a “sanctions evasion architecture” that integrates cryptocurrency laundering and covert IT labor (Mallory, 2021). Third, the study incorporates foresight scenario building to identify “weak signals” often overlooked by traditional security assessments. Finally, methodological rigor was ensured through a structured, three-stage expert consultation process (May–September 2025) involving five interdisciplinary specialists in cybersecurity forensics, East Asian political economy, and futures studies.
This study utilized a three-stage validation process. In Stage 1 (May 2025), five experts weighted five structural variables, including nuclear-missile linkage and regime stability, during a two-day workshop. Stage 2 (July 2025) involved individual semi-structured interviews (90–120 minutes) to evaluate scenario consistency, challenge assumptions, and refine threat indicators. Finally, in Stage 3 (September 2025), the specialists reconvened to collectively assess revised scenarios, refine policy recommendations, and establish consensus on analytical boundaries. This structured engagement ensured the empirical plausibility and strategic utility of the foresight framework through rigorous interdisciplinary qualitative assessment.
This iterative consultation process ensured methodological rigor while acknowledging inherent uncertainties in forecasting behavior of highly secretive regimes. By integrating collective deliberation (Stages 1 and 3) with individual expert elicitation (Stage 2), the study balanced consensus-building with preservation of specialist insights. The resulting scenarios represent not predictive certainties but plausible, internally coherent trajectories grounded in empirical trends and expert-validated assumptions.
North Korea’s Cyber Operations
North Korea-Linked Cyber Operations (2014–2025)
Over the past decade, North Korea’s cyber program, orchestrated by the Lazarus Group under the Reconnaissance General Bureau (RGB), has evolved from political sabotage into a systemic instrument of financial warfare, generating billions in illicit revenue while challenging global governance (Baek, 2024). This trajectory reflects what Kim (2022) characterizes as a strategic pivot from politically motivated operations to institutionalized revenue generation, driven by intensified sanctions and the regime’s imperative for survival. Six major incidents define this evolution (Table 1).
The cyber entities detailed in Table 1 operate within North Korea’s military intelligence apparatus under the strategic oversight of the Reconnaissance General Bureau (RGB). The Lazarus Group serves as the primary umbrella organization, encompassing specialized sub-cells with distinct missions. APT38/BlueNoroff (~1,700 members) focuses on the financial exploitation of banks and cryptocurrency to fund weapons development, with its sub-cell, TraderTraitor, specializing in decentralized finance (DeFi). Andariel (~1,600 members) executes dual-purpose operations, combining defense-sector espionage with healthcare ransomware. Hidden Cobra remains the 2017 U.S. government designation for this entire integrated infrastructure. Bureau 121 (reorganized as “Lab 110”) functions as the core cyberwarfare unit managing personnel deployed internationally. These entities maintain tactical autonomy while ensuring strategic coordination, collectively constituting a sophisticated “sanctions evasion architecture” that transcends simple criminal enterprise.
The Sony Pictures attack (2014) marked North Korea’s emergence as a coercive cyber actor. The FBI attributed the breach to North Korean actors based on malware similarities, encryption algorithms, and code patterns (FBI, 2014). The attack combined data destruction with threats to suppress The Interview, representing the first documented state use of cyber tools to enforce cultural censorship abroad. The DOJ subsequently charged programmer Park Jin-hyok, establishing precedent for individual accountability in state-sponsored operations (DOJ, 2018).
Table 1: Major North Korea-Attributed Cyber Operations (2014-2025)
| Year | Incident | Loss (U$ M) | Description | Suspected Entity |
| 2025 | Bybit Crypto Exchange Heist (Singapore) | $1,500 | Largest crypto-exchange theft to date. Used AI-driven phishing and cross-chain laundering. | Lazarus Group / TraderTraitor (APT38 sub-cell) |
| 2022 | Ronin Bridge / Axie Infinity Hack | $620 | Exploited cross-chain vulnerabilities. Led to U.S. Treasury sanctioning. | Lazarus Group / APT38 (BlueNoroff) |
| 2016 | Bangladesh Central Bank | $81 | Hackers infiltrated SWIFT network to initiate fraudulent transfers. | Lazarus Group / APT38 (BlueNoroff) |
| 2017 | WannaCry Ransomware Attack (Global) | $4,000–8,000 | Worm-like ransomware using NSA’s EternalBlue | Lazarus Group / Hidden Cobra Umbrella Network |
| 2018 | Coincheck Cryptocurrency Hack (Japan) | $530 | Revealed North Korea’s pivot to crypto-based sanctions evasion. | Lazarus Group / Andariel sub-unit |
| 2014 | Sony Pictures Hack (USA) | $15 | Politically motivated attack targeting ‘The Interview’. Used wiper malware. | Bureau 121 / Lazarus affiliates (RGB) |
Source: compiled by the author
The Bangladesh Bank heist (2016) demonstrated systematic financial exploitation. Operatives attempted to steal $1 billion via SWIFT, diverting $81 million before intervention. According to a 2020 U.S. Army report, BlueNoroff comprises approximately 1,700 members dedicated to financial cybercrime, targeting institutions across 16 organizations in 13 countries (U.S. Army, 2020). This attack confirmed cybercrime’s emergence as a state revenue mechanism (Egloff & Smeets, 2020).
The WannaCry outbreak (2017) escalated threats globally. Propagating via the NSA’s “EternalBlue” exploit, the malware disrupted services across 150 countries, including the UK’s NHS, causing $4–8 billion in damages. Its indiscriminate nature blurred distinctions between cybercrime and state aggression.
The Coincheck hack (2018) saw $530 million in NEM tokens stolen, prompting Japanese regulatory reforms and exemplifying Pyongyang’s integration of cryptocurrency theft into sanctions-evasion strategy. The Ronin Bridge breach (2022), involving $620 million, marked the apex of DeFi operations, prompting the U.S. Treasury to sanction cryptocurrency wallet addresses for the first time (DOT, 2022).
The Bybit heist (February 2025) resulted in $1.4–1.6 billion theft, which constituted the largest crypto-exchange heist in history. The attack employed AI-driven phishing and cross-chain laundering via China and Russia, triggering G7 and FATF emergency actions (Chainalysis, 2025; Elliptic, 2025). Investigators traced multiple rounds of cross-chain swaps between Bitcoin, Ethereum, BTTC, and Tron, utilizing obscure protocols and self-issued tokens to disguise origins.
Collectively, these incidents demonstrate transition from symbolic retaliation to institutionalized exploitation. Chainalysis (2025) reports North Korean hackers stole $2.02 billion in 2025 alone, a 51% increase from 2024, bringing cumulative theft since 2017 to $6.75 billion, representing 60% of global cryptocurrency theft (Elliptic, 2025). The political reverberations have catalyzed unprecedented U.S.–ROK–Japan trilateral cooperation. North Korea’s cyber apparatus now functions as what Baek (2024) term “a structural pillar of digital authoritarian resilience.”
North Korean Cyber Command Operations: Structure and Evolution
North Korea’s cyber command represents a multi-tiered ecosystem supporting political survival, economic resilience, and strategic deterrence. At the apex stands the Reconnaissance General Bureau (RGB), the principal intelligence and cyberwarfare agency (Fig. 1). As Mandiant (2022) observes, “it is a widely accepted understanding that North Korean cyber activity of any kind is most likely directed or controlled by the RGB.” Bureau 121 (reorganized as “Lab 110”) functions as the primary offensive unit, managing cyber personnel deployed abroad under diplomatic or commercial cover (UNSC, 2023).
The Lazarus Group serves as the central operational hub, integrating mission-specific sub-cells. APT38/BlueNoroff conducts financial heists, comprising approximately 1,700 members targeting financial institutions worldwide, with revenues channeled to weapons development (U.S. Army, 2020; FireEye, 2018). Andariel (approximately 1,600 members) engages in dual-purpose operations: cyber-espionage against defense sectors alongside ransomware attacks on healthcare. TraderTraitor represents recent adaptation toward exploiting DeFi vulnerabilities (CISA, 2022).
Fig. 1: Structures of North Korea’s Cyber Command (DOJ, 2018; DHS & FBI, 2017; DOT, 2022)
Collectively designated “Hidden Cobra” by the U.S. government, these entities share infrastructure, personnel, and malware codebases, including the repurposed EternalBlue exploit (DHS & FBI, 2017). Mandiant (2022) characterizes this evolved structure as “a streamlined organization with shared tooling and targeting efforts,” where operators rapidly shift focus between missions based on regime priorities rather than fixed mandates.
A critical 2024–2025 development involves systematic covert IT worker placement. A CoinDesk investigation (2024) identified North Korea operatives under false identities in major crypto projects, including Cosmos Hub, Injective, Fantom, Sushi, and Yearn Finance. Developer Zaki Manian observed that “the percentage of your incoming resumes… that are probably from North Korea is greater than 50% across the entire crypto industry” (CoinDesk, 2024). Chainalysis (2025) confirms North Korean actors are “increasingly achieving outsized results by embedding IT workers inside crypto services to gain privileged access.”
These operatives employ sophisticated TTPs: stolen identities, third-party intermediaries, and laptop farms in China. A 2024 UN report estimates North Korea IT workers generate $600 million annually, funding weapons programs and enabling reconnaissance for heists (UN, 2024). Amazon’s CSO reported blocking over 1,800 suspected operatives since April 2024, with attempts rising 27% quarterly. Talent cultivation occurs at Kim Il-sung Military University, Pyongyang University of Automation, and the Korea Computer Center (over 1,000 personnel, including 100+ PhDs). Elite operators deploy overseas under commercial cover in China, Russia, and Southeast Asia.
Overall, North Korea’s cyber command functions as a sophisticated asymmetric force multiplier, integrating espionage, illicit finance, insider infiltration, and sabotage into a unified digital warfare architecture that converts institutional capability into geopolitical leverage for an economically constrained regime.
Four Alternative Futures of the North Korea’s Cyber Operation
The evolutionary trajectory of North Korea’s cyber power and its attendant strategic threat are fundamentally governed by five interdependent structural determinants: (1) the nuclear-missile nexus, (2) the international sanctions architecture, (3) digital marketization, (4) regime cohesion, and (5) strategic alignment with major powers. The identification of these variables aligns with scholarly consensus on North Korean systemic transformation (Cha, 2012; Lee & Seo, 2019), anchoring the analysis in empirically substantiated geopolitical and economic realities. To ensure methodological rigor, the analytical salience and relative weighting of these variables were validated through structured expert elicitation involving five interdisciplinary specialists in cyber intelligence, East Asian political economy, and strategic foresight. These structural forces define the parameters within which the cyber apparatus evolves along four divergent pathways: Cyber Leviathan, Lazarus Unchained, Regulated Darknet, or Digital Phoenix. This architecture is further modulated by two emergent variables of heightened strategic import since 2024: the operationalization of AI in offensive capabilities and the deepening Russia-DPRK cyber-strategic entente (Shin, 2025; Daily NK, 2024).
Key Drivers and Four Alternative Futures
The evolutionary trajectory of North Korea’s cyber operations is determined by five interconnected structural drivers, which define the boundaries of the four alternative futures (Table 2). These drivers were systematically identified and validated through the Stage 1 expert workshop (May 2025), in which all five interdisciplinary specialists collectively assessed variable selection, weighting, and interdependencies, as detailed in Section 2.2. Their derivation is thus anchored in the structured expert consultation process that forms the methodological foundation of this study. Nuclear and Missile Linkage defines the strategic purpose and financing mechanism of cyber operations. Cyber activities function as both financial lifelines for weapons programs and instruments of coercive leverage. According to U.S. Deputy National Security Adviser Anne Neuberger, cyber-derived revenues fund approximately 50% of North Korea’s nuclear weapons program (NIS, 2024). The linkage dictates scenario outcomes: Growth yields a “Digital Byungjin” model financing nuclear modernization; Collapse severs the link resulting in fragmented cybercrime; Discipline introduces monitoring; and Transformation redefines capability as an innovation engine ((Kim & Polito, 2019).
Table 2: Scenario Matrix for the Alternative Futures of North Korea’s Cyber Operations
| Four
Futures |
Discipline
(Regulated Darknet) |
Growth
(Cyber Leviathan) |
Transformation
(Digital Phoenix) |
Collapse
(Lazarus Unchained) |
| Degree of Control | High | High | Low | Low |
| Degree of Integration | Low | High | Low | High |
| Key Characters | Controlled transition | AI-driven cyberstate | Dual-use modernization | Unstable regime |
| Joint cyber deterrence | Crypto-WMD linkage | Legal fintech exports | Rogue hackers | |
| Professionalized intelligence | State-sponsored mercenaries | Comprehensive reform | Loss of command | |
| U.S.-ROK-Japan coordination | China-Russia enablement | Conditional reintegration | Cyber anarchy |
Source: compiled by the author
The International Sanctions Regime simultaneously constrains and stimulates North Korea’s digital innovation, forcing the pivot toward cyber-enabled revenue networks. The 2024 trilateral coordination among the U.S., South Korea, and Japan, including December 2024 sanctions targeting RGB head Ri Chang-ho, represents intensified enforcement (CSIS, 2025a). However, the dissolution of the UN Panel of Experts in 2024 weakened multilateral forensic capacity, creating enforcement asymmetries that sustain the shadow financial ecosystem.
Digital Marketization and Economic Openness shapes the structural relationship between technological development and regime control. The regime’s capacity for controlled digital innovation is evidenced by its AI ecosystem development: a 38 North study revealed North Korea’s mature machine learning capabilities spanning government, academic, and commercial sectors, with applications in nuclear safety optimization and military simulation (Lee & Seo, 2019; Shin, 2025).
Regime Stability and Ideological Control determines the durability of the cyber apparatus through ideological centralization and direct party oversight. The March 2025 establishment of “Research Center 227,” a dedicated AI-focused cyber warfare unit under the RGB developing offensive hacking capabilities for espionage, financial theft, and network disruption, signals institutionalized investment in next-generation offensive capabilities. The facility operates continuously with over 90 cybersecurity professionals.
External Relations, particularly the November 2024 Comprehensive Strategic Partnership Treaty with Russia, fundamentally reshapes North Korea’s cyber operational envelope. The treaty includes provisions for mutual defense in cyberspace, cooperation in artificial intelligence, and joint efforts to shape international cybersecurity norms (CSIS, 2025b). Security researchers at Gen Digital (2025) identified potential infrastructure overlap between Lazarus and Russia’s Gamaredon group; if confirmed, this would represent the first documented case of Russian-North Korean cyber collaboration, marking a paradigm shift toward what analysts term “alliance cyber operations” (Yun, 2025).
First Alternative: Growth. “The Cyber Leviathan”
This scenario projects a trajectory of institutionalized expansion, where North Korea’s cyber apparatus matures into the definitive nucleus of a disciplined, state-supervised digital economy. Within this archetype, the “Digital Byungjin” model represents the logical climax of current trends: the total fusion of economic survival with absolute political control through technological self-sufficiency.
Logical Foundation: The “Cyber Leviathan” is characterized by the successful integration of offensive cyber capabilities into the permanent bureaucracy of the Westphalian state. It is not a shift in kind, but a massive expansion in scale. As Chainalysis (2025) documents, the current “industrial-level efficiency” of North Korean actors suggests a future where cyber-industrial complexes like Research Center 227 function as semi-official state enterprises. In this future, the state remains the primary actor, using AI-augmented reconnaissance and automated money laundering to sustain a centralized, sovereign treasury. Externally, this growth is facilitated by a deepening Eurasian digital bloc, where the 2024 Comprehensive Strategic Partnership Treaty provides the legal and technical infrastructure for long-term capability maturation (OSINT Insider, 2025).
Second Alternative: Collapse. “Lazarus Unchained”
The “Collapse” scenario envisions the disintegration of centralized sovereignty, where the regime loses its monopoly over its most lethal strategic asset. Unlike a total state failure, this is a “cyber-specific” collapse where the digital sword breaks free from the hand of the sovereign, resulting in a diaspora of unbound cyber mercenaries.
Logical Foundation: This archetype stems from a fatal misalignment between structural overreliance on cyber-revenue and the increasing friction of global surveillance (Baek, 2024). When central oversight fails due to economic exhaustion or internal instability, the disciplined state units fracture into competing rogue factions. These “ghost legions” (Clarke & Knake, 2020) commercialize state-developed AI malware for private gain, creating a market-driven network of decentralized threat actors. The global consequence is a total attribution crisis; as the source of attacks becomes unidentifiable and privatized, conventional deterrence mechanisms, which rely on state-to-state signalling, undergo a terminal paralysis (Lindsay, 2013).
Third Alternative: Discipline. “The Regulated Darknet”
The “Discipline” scenario projects a future defined by containment and normalized constraints. In this trajectory, North Korea’s cyber operations are not eliminated but are “bounded” within a highly regulated global digital order, shaped by the hardening of multilateral surveillance and the imposition of international norms.
Logical Foundation: This future is driven by the institutionalization of “offensive cyber defense” postures by the U.S.–ROK–Japan framework (CSIS, 2024). The pathway to discipline is paved by technological “friction”: AI-driven real-time threat detection and advanced blockchain forensics (Chainalysis, 2025) make illicit operations economically and diplomatically untenable. Under this pressure, Pyongyang is forced to accept a “restrained cyber power” status (Valeriano et al., 2018). In this hybrid environment, China plays a decisive role as a “digital disciplinarian,” ensuring that North Korea’s digital evolution remains contained within a Sino-centric technological sphere that prioritizes regional financial stability over disruptive rogue activity.
Fourth Alternative: Transformation. “Digital Phoenix”
The “Transformation” scenario represents a fundamental paradigm shift in the nature of the North Korean state. Rather than merely adapting its economy, the regime achieves a “non-linear evolution” by transcending physical borders and traditional Westphalian sovereignty to become the world’s first Decentralized Virtual Rogue State.
Logical Foundation: In this archetype, the “Digital Phoenix” does not simply “rebrand” to legitimate IT work; it reinvents the state as a digital entity that exists primarily within the interstices of global code and finance. Faced with the obsolescence of traditional sanctions, the regime de-territorializes its power. AI agents and autonomous blockchain protocols are deployed not just as tools, but as sovereign actors that generate revenue and conduct diplomacy in virtual spaces.
By 2035, North Korea evolves into a “meta-state” where technological achievemnet is used to bypass the physical constraints of the international system entirely. The integration of AI for pattern optimization and facial recognition (Shin, 2025) shifts from “crime” to the creation of a proprietary, parallel financial architecture. This transformation represents a paradoxical rebirth: North Korea survives by ceasing to function as a traditional nation-state, instead operating as a high-tech, sovereign digital collective that renders physical isolation irrelevant.
Strategy for the Preferred Future
This section explores strategies for North Korea’s preferred future in the cyber domain, viewed from the regime’s perspective. Drawing on the four alternative futures scenarios and their qualitative assessment, the analysis identifies trajectories that best align with Pyongyang’s core objectives: regime survival, revenue generation for weapons programs, asymmetric deterrence, and evasion of international constraints.
Qualitiative Assessment of Future Scenarios: Risk and Preference
Among the four projected cyber futures, namely Cyber Leviathan (Growth), Lazarus Unchained (Collapse), Regulated Darknet (Discipline), and Digital Phoenix (Transformation), the Collapse scenario represents the most dangerous and destabilizing outcome, whereas the Discipline scenario embodies the most desirable and stable equilibrium for both regional and global cybersecurity governance (DOJ, 2018). Given North Korea’s status as a geopolitical “black box” where quantitative data remains unavailable or unverifiable, this comparative assessment employs a qualitative framework informed by the five interdisciplinary specialists consulted during scenario development. The framework integrates multiple analytical elements across three dimensions: attribution stability, deterrence credibility, and proliferation containment (Table 3).
In the Collapse scenario, North Korea’s centralized cyber command deteriorates amid elite fragmentation, fiscal collapse, and internal political instability. The once tightly coordinated cyber apparatus splinters into autonomous, mercenary factions operating beyond state control. This fragmentation produces what Lindsay (2013) identifies in his analysis of cyber warfare limitations as the “attribution crisis,” a strategic paralysis wherein the source of attacks becomes unidentifiable, rendering conventional deterrence and response mechanisms ineffective. The operational sophistication documented in recent North Korean heists, including multi-stage cross-chain laundering through obscure blockchains, the creation of self-issued tokens for obfuscation, and exploitation of “refund addresses” to redirect assets (Elliptic, 2025; TRM Labs, 2025), demonstrates capabilities that, if decentralized through regime collapse, would proliferate beyond any containment framework. Should state oversight collapse, these semi-autonomous cells could evolve into fully privatized cyber mercenary enterprises, selling sophisticated digital weapons, AI-driven malware, and zero-day exploits to terrorist organizations, organized crime networks, or rogue states.
Table 3: Qualitative Risk Assessment of Four Alternative Scenarios
| Scenario | Probability | Risk Level | Strategic Outcome |
| Cyber Leviathan | Moderate | Medium | State-controlled expansion of cyber power; sustained but manageable threat. |
| Lazarus Unchained | Low–Moderate | Very High | Loss of control; stateless proliferation of malware and cyber mercenaries. |
| Regulated Darknet | High | Low | Stable deterrence and limited cooperation within global cyber governance. |
| Digital Phoenix | Low | Low–Medium | Gradual reform and partial reintegration, but politically improbable. |
Source: compiled by the author
Preferred Future Strategy
Over the next decade, North Korea’s cyber operations will remain a persistent, systemic threat tied to the regime’s survival logic. The 2025 record of $2.02 billion in cryptocurrency theft, bringing cumulative losses to $6.75 billion since 2016, which demonstrates that cyber revenue constitutes a structural pillar of regime financing (Chainalysis, 2025; Elliptic, 2025). The international community must pursue a dual-track strategy: (1) shaping the environment toward a “Regulated Darknet” where offensive behavior is bounded, and (2) preventing the Collapse scenario where capabilities proliferate uncontrollably. This requires anticipatory governance integrating intelligence sharing, sanctions, and technological monitoring across the U.S.–ROK–Japan alliance (Valeriano & Maness, 2018).
Strategic Priority 1: Deterrence and Containment Framework Strategic Priority II: Anticipatory Resilience
The first priority is establishing sustainable deterrence using Deterrence by Denial and Coercive Transparency to make illicit activities economically unprofitable. As Matt Pearl of CSIS observed, “the traditional tools we have had have not worked” (NBC News, 2025), necessitating a paradigm shift from reactive sanctions to proactive denial.
Attribution and Verification Regime (AVR): Rapid, credible attribution is foundational to deterrence. A joint AVR should operationalize the UN Convention against Cybercrime’s provisions for mutual legal assistance and evidence preservation, which enter into force upon ratification by 40 countries (UNODC, 2024). Building on the U.S.–ROK Strategic Cybersecurity Cooperation Framework (2023) and December 2024 sanctions targeting RGB head Ri Chang-ho, the AVR would systematize real-time intelligence fusion across the trilateral alliance (CSIS, 2025b).
Blockchain Forensics and Financial Interdiction: North Korean laundering has evolved toward “Chinese Laundromat” infrastructure, specifically WeChat-based OTC settlement networks operating off-blockchain (TRM Labs, 2025). Effective interdiction now requires typology-driven detection of laundering stacks (bridges, mixers, casinos, OTC traders), not merely static blocklists. The Multilateral Sanctions Monitoring Team (MSMT), established October 2024 by eleven nations following Russia’s veto of the UN Panel of Experts, exemplifies necessary institutional innovation (ORF, 2025).
Strategic Priority 2: Anticipatory Resilience
The second priority is building resilience against collapse-induced cyber diffusion through Digital Defense-in-Depth. The WEF/CLTC Cybersecurity Futures 2030 initiative provides methodological guidance, emphasizing foresight-focused scenario planning to address “risks that exist just over the horizon” (WEF/CLTC, 2023).
The trilateral alliance has institutionalized joint exercises including “Freedom Edge” and “Freedom Shield” (CSIS, 2025b). Private sector integration is equally critical: blockchain analytics firms enable law enforcement to “identify, track, and interdict illicit flows” with increasing effectiveness (Chainalysis, 2025). The December 2024 OFAC designation of Chinese OTC trader Lu Huaying demonstrates expanding public-private enforcement coordination.
Strategic Priority 3: Futures Governance
Following Dator’s (2009) anticipatory governance framework, a Scenario Dashboard should track five key variables: nuclear-cyber linkage, sanctions efficacy, digital marketization, regime stability, and external alignment (Lee & Seo, 2019). Currently, the U.S.–ROK Senior Steering Group (SSG) remains ad hoc, and the bilateral Working Group has not convened since September 2024 (CSIS, 2025a). Regularizing these platforms is essential for structural consolidation.
China and Russia’s Role
China’s position as both enabler and potential constraining force is strategically decisive. Chinese underground banking networks now constitute primary North Korean laundering infrastructure following Western sanctions against Tornado Cash and Sinbad (TRM Labs, 2025). However, China signed the UN Convention against Cybercrime in October 2025 (Just Security, 2025). Engaging Beijing through the Convention’s implementation mechanisms represents a potential pathway to disciplining the financial architecture sustaining Pyongyang’s operations. The Discipline scenario’s effectiveness ultimately depends on whether China prioritizes international legitimacy over strategic alignment with Pyongyang. In addition, Russia’s strategic recalibration, as it weighs the costs of deepened North Korean alignment against potential Western sanctions and the risks of cyber escalation, will determine whether Moscow emerges as a stabilizing constraint or an accelerant to Pyongyang’s destabilizing operations.
Conclusion
The evolution of North Korea’s cyber capabilities represents a fundamental paradigmatic shift in the contemporary architecture of international security governance. What commenced as an auxiliary mechanism for illicit currency generation has metamorphosed into a permanent, systemic pillar of Pyongyang’s asymmetric national strategy, a transformation that fundamentally challenges the epistemological foundations of traditional deterrence theory. Through the deliberate synthesis of technological innovation with totalitarian state control, North Korea has successfully decoupled its economic survival from the structural constraints of the Westphalian financial order. This represents what scholars have termed the operationalization of an “A-Symmetry Model” of authoritarian sovereign resilience (MSMT, 2025), wherein technological asymmetry compensates for conventional military and economic disadvantages.
Notwithstanding incremental advances in international cybersecurity cooperation, the prevailing global response apparatus remains fundamentally trapped within a reactive paradigm that this study characterizes as an “enforcement asymmetry” that systematically privileges post-incident attribution over anticipatory prevention. The recent dissolution of critical multilateral oversight mechanisms, most notably the UN Security Council 1718 Panel of Experts, has exacerbated the temporal and cognitive velocity gap between North Korean adaptive innovation and international governance capacity. This institutional deficit underscores the urgent necessity for a comprehensive reconceptualization of threat mitigation frameworks.
Strategic Imperatives for Anticipatory Governance
To systematically address this expanding governance deficit, this research proposes a transition from reactive containment strategies to a comprehensive Anticipatory Governance Framework. This paradigm shift necessitates the integration of three mutually reinforcing strategic imperatives, each designed to enhance the resilience and adaptability of the international security architecture:
Preference from Reactive Containment to Anticipatory Resilience
Contemporary global policy frameworks must transcend punitive, ex-post-facto measures and pivot toward systemic resilience engineering. This transformation requires the harmonization of decentralized finance (DeFi) regulatory architectures across jurisdictions, coupled with the establishment of a centralized, AI-augmented forensics authority capable of rendering illicit digital activities economically unviable before their operational execution (OECD, 2025). Such proactive intervention mechanisms would fundamentally alter the cost-benefit calculus confronting state-sponsored cyber actors, thereby enhancing the deterrent efficacy of international sanctions regimes.
From State-Centric Monitoring to Hybrid Intelligence Ecosystems
Effective governance in an era of increasingly autonomous cyber threat actors necessitates a fundamental epistemological transition from traditional state-led intelligence monopolies to hybridized, multi-stakeholder networks. By strategically integrating private-sector expertise in blockchain analytics, cryptocurrency forensics, and AI-driven threat detection systems, the international community can operationalize a “distributed surveillance” model commensurate with the inherently decentralized operational architecture of the Lazarus Group and its emerging successor factions. This networked approach enhances both the granularity and temporal responsiveness of threat identification mechanisms.
From Isolation to Normative Co-optation
While robust deterrence remains essential, international strategy must simultaneously pursue the incremental creation of regulated digital pathways and normative frameworks. By establishing clearly delineated cyber-norms and institutionally monitored channels for legitimate technological exchange, global actors can strategically incentivize the gradual co-optation of Pyongyang’s cyber capacity into predictable, transparent operational environments. This dual-track approach, which combines credible enforcement with conditional engagement, reduces the probability of non-linear escalation dynamics while preserving strategic flexibility in response to regime behavioral modification.
Theoretical Contribution and Significance
The principal academic contribution of this research resides in its methodological reorientation from predictive accuracy, which is an inherently problematic epistemological objective in contexts of radical uncertainty, toward the cultivation of anticipatory capacity. When analyzing North Korea, a paradigmatic geopolitical “black box” characterized by informational opacity and behavioral unpredictability, conventional threat assessment methodologies frequently fail to adequately account for discontinuous, non-linear disruptions in state behavior. By systematically applying Dator’s Four Alternative Futures framework to the cyber-AI nexus, this study transcends present-oriented empirical analysis to construct a multi-dimensional perspective encompassing diverse high-impact trajectories. While the accuracy of data on North Korea’s internal cyber operations remains inherently constrained by the regime’s opacity, a limitation this study transparently acknowledges, and the scenarios constructed here are grounded in verifiable evidence from technical attribution analyses, UN investigative reports, and cross-validated open-source intelligence rather than speculation, with all factual claims traceable to cited sources.
This research empirically demonstrates that the strategic value of futures-oriented scholarship inheres not in the achievement of predictive precision, a fundamentally elusive objective given the stochastic nature of complex adaptive systems, but rather in the systematic expansion of policymakers’ cognitive horizons to facilitate preparedness for multiple plausible trajectories. The conceptualization of the “Digital Phoenix” scenario as a Decentralized Virtual Rogue State furnishes a novel theoretical lens through which to examine the future transformation of sovereignty and statecraft in the digital epoch. This heuristic device enables more sophisticated analysis of how authoritarian regimes may exploit emerging technologies to circumvent traditional instruments of international pressure.
Ultimately, this study advances the field of futures studies by providing a methodologically rigorous, empirically grounded, and theoretically coherent model for Anticipatory Governance under conditions of extreme informational opacity. A number of recent studies have called for a shift from reactive crisis management toward more anticipatory and resilience-based cyber strategies. Building on this emerging literature, the present analysis applies Dator’s four alternative futures framework to North Korea’s cyber operations and integrates two recent developments, namely AI augmentation of offensive tactics and deepening Russia–North Korea cyber ties, as modulating variables. While the study makes no claim to originality in the broader methodological shift it reflects, it seeks to offer a concrete, case-specific illustration of how structured foresight tools may assist policymakers in anticipating and preparing for multiple plausible trajectories of one of the most elusive state cyber actors.
Methodological Reflections and Future Directions
Applying Dator’s Four Alternative Futures framework to North Korean cyber operations yielded critical methodological insights. The most valuable lesson: futures methodology does not require perfect data to generate strategic value, but demands transparent acknowledgment of evidentiary boundaries. The structured scenario development process forced explicit articulation of what we can verify (documented cyberattacks, technical capabilities), reasonably infer (organizational structures, strategic motivations), and what remains unknowable (internal decision-making, exact resource allocations). Expert validation proved essential, not merely for technical accuracy but also for challenging implicit assumptions and preventing single-researcher cognitive biases from distorting scenario plausibility.
While this analysis employs rigorous open-source intelligence methods, North Korea’s extreme secrecy inherently limits empirical precision. Three constraints warrant acknowledgment: organizational intelligence remains fragmentary; strategic decision-making processes are opaque; and technological capabilities are only partially observable post-facto. However, North Korea’s core strategic logic exhibits remarkable continuity that partially mitigates these limitations. The regime’s overriding objective of ensuring Kim dynasty survival has remained constant. What has shifted is the mechanism: cyber operations now constitute the most cost-effective survival strategy available. Unlike nuclear tests triggering international condemnation, cryptocurrency theft generates billions in untraceable revenue without provoking military responses. Cyber capabilities have emerged as the new “asymmetric equalizer,” supplanting traditional reliance on weapons of mass destruction programs, and providing an analytical anchor for scenario projections grounded in stable motivational drivers even when operational details are uncertain.
Future research should pursue three directions, each acknowledging inherent data limitations: (1) developing probabilistic cryptocurrency flow models that quantify confidence intervals rather than claiming comprehensive network reconstruction, recognizing such models capture observable flows (the “tip of the iceberg”) rather than total illicit activity; (2) conducting scenario-specific policy simulations focused on process improvements rather than attempting to predict specific attack scenarios; and (3) tracking the strategic logic underlying tactical evolution rather than comprehensive tactics, techniques, and procedures (TTPs) cataloging, leveraging the regime’s strategic consistency to project plausible future trajectories despite operational intelligence gaps.
References
Baek, J. (2024). Digital Architecture of Control: North Korea’s Use of Technology to Consolidate Totalitarian Governance. Journal of Illiberalism Studies 4(3) 11-27. https://doi.org/10.53483/XCQT3578.
Belfer Center. (2022). National Cyber Power Index 2022. Harvard Kennedy School.
Bruce, S. (2012). A Double-Edged Sword: Information Technology in North Korea 2012. East-West Center. https://www.jstor.org/stable/resrep06452.
Bush, G. W. (2002). State of the Union Address. United States Capitol.
Chainalysis. (2025). 2025 crypto theft reaches $3.4 billion [Crypto crime report]. https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/.
Cha, V. (2012). The Impossible State: North Korea, Past and Future. Random House. https://www.carnegiecouncil.org/media/series/39/20120607-the-impossible-state-north-korea-past-and-future.
CISA (Cybersecurity & Infrastructure Security Agency). (2022). TraderTraitor: North Korean state-sponsored APT targets blockchain companies (Alert AA22-108A). https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a.
Clarke, R.A., & Knake, R.K. (2020). The fifth domain: Defending our country, our companies, and ourselves in the age of cyber threats. Penguin Press.
CoinDesk. (2024). How DPRK hackers infiltrated the crypto industry. https://www.coindesk.com/tech/2024/10/02/how-north-korea-infiltrated-the-crypto-industry.
CSIS (Center for Strategic and International Studies). (2024). South Korea’s 2024 cyber strategy: A primer. Strategic Technologies Blog. https://www.csis.org/blogs/strategic-technologies-blog/south-koreas-2024-cyber-strategy-primer.
CSIS. (2025a). Hidden enablers: Third countries in North Korea’s cyber playbook. CSIS Korea Chair. https://www.csis.org/analysis/hidden-enablers-third-countries-north-koreas-cyber-playbook.
CSIS. (2025b). Mutual defense in cyberspace: Joint action on attribution. CSIS Korea Chair. https://www.csis.org/analysis/mutual-defense-cyberspace-joint-action-attribution.
Daily NK. (2024). Cyber allies: North Korea and Russia’s cyber partnership in the post-treaty era. https://www.dailynk.com/english/cyber-allies-north-korea-and-russias-cyber-partnership-in-the-post-treaty-era/.
Dator, J. (2009). Alternative futures at the Manoa School. Journal of Futures Studies, 14(2), 1–18. https://jfsdigital.org/wp-content/uploads/2014/01/142-A01.pdf.
DHS (U.S. Department of Homeland Security) & FBI (Federal Bureau of Investigation. (2017). Hidden Cobra – North Korea’s malicious cyber activities (TA17-164A).
DOJ (U.S. Department of Justice). (2018). North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions. https://www.justice.gov/archives/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and.
DOT (U.S. Department of the Treasury). (2022). North Korea-related sanctions: Designation of virtual currency addresses linked to Lazarus Group (OFAC Bulletin).
DW.Com. (2024). How crypto heists help North Korea fund its nuclear program. https://www.dw.com/en/how-crypto-heists-help-north-korea-fund-its-nuclear-program/a-68669802.
Egloff, F. J., & Smeets, M. (2020). Sandworm: a new era of cyberwar and the hunt for the Kremlin’s most dangerous hackers. Journal of Cyber Policy, 5(2), 326–327. https://doi.org/10.1080/23738871.2020.1808032.
Elliptic. (2025a). North Korea’s crypto hackers have stolen over $2 billion in 2025. Elliptic Blog. https://www.elliptic.co/blog/north-korea-linked-hackers-have-already-stolen-over-2-billion-in-2025.
Elliptic. (2025b). Chain-hopping emerges as defining money laundering method of 2025. Elliptic Blockchain Analytics. https://www.elliptic.co/blog/chain-hopping-defining-money-laundering-method-of-2025.
FBI (Federal Bureau of Investigation). (2014, December 19). Update on Sony investigation [Press release]. https://www.fbi.gov/news/press-releases/update-on-sony-investigation
Gen Digital. (2025). Alliances of convenience: How APTs are beginning to work together. Gen Insights Research Blog. https://www.gendigital.com/blog/insights/research/apt-cyber-alliances-2025.
Greitens, S.C. (2020). Dealing with demand for China’s global surveillance exports. Brookings Institution. https://www.brookings.edu/wp-content/uploads/2020/04/FP_20200428_china_surveillance_greitens_v3.pdf.
Kim, CW., & Polito, C. (2019). The Evolution of North Korean Cyber Threats. The Asan Institute for Policy Studies. https://www.jstor.org/stable/resrep20679.
Lee, D., & Seo, Y. (2019). Alternative futures for North Korea economy: From the North Korean perspectives. Futures, 114, 1–11. https://doi.org/10.1016/j.futures.2019.102455.
Lindsay, J. R. (2013). Stuxnet and the limits of cyber warfare. Security Studies, 22(3), 365–404. https://doi.org/10.1080/09636412.2013.816122.
Mallory, K. (2021). North Korea’s Sanctions Evasion Techniques. RAND Corporation. https://www.rand.org/pubs/research_reports/RRA1537-1.html.
Mandiant. (2022). Not so Lazarus:Mapping DPRK cyber threat groups to government organizations. Google Cloud Threat Intelligence. https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government?hl=en.
MOFA (Ministry of Foreign Affairs of Japan). (2025). The DPRK’s violation and evasion of UN sanctions: Annual monitoring report. https://www.mofa.go.jp/files/100922718.pdf.
MSMT (Multilateral Sanctions Monitoring Team). (2025). UN Multilateral Sanctions Monitoring Team annual report. United Nations. https://msmt.info/Publications/Reports.
NBC News. (2025). North Korea stole billions in crypto in 2025, new research says. https://www.nbcnews.com/tech/crypto/north-korea-stole-billions-crypto-2025-new-research-says-rcna249738.
Neuberger, A. (2024). Keynote address on emerging technologies and national security. The 20th IISS Manama Dialogue, Manama, Bahrain. https://www.iiss.org/globalassets/media-library—content–migration/files/manama-dialogue-delta/2024/transcripts/p4/fourthplenarysession_anneneuberger_asdelivered_jl.pdf.
NIS (National Intelligence Service, Korea). (2024). National Cybersecurity Basic Plan. https://www.ncsc.go.kr:4018/cop/bbs/selectBoardList.do?bbsId=Publish_main&nttId=0&menuNo=070000&subMenuNo=070200&thirdMenuNo=.
OECD. (2025). Building anticipatory capacity with strategic foresight in government (OECD Public Governance Reviews). OECD Publishing. https://doi.org/10.1787/d7eb0bb6-en.
ORF (Observer Research Foundation). (2025). 2024: A jackpot year for North Korea’s cyber criminals (Sharma, A.). ORF Expert Speak. https://www.orfonline.org/research/2024-a-jackpot-year-for-north-korea-s-cyber-criminals.
OSINT Insider. (2025). North Korea uses its relationships with Chinese and Russian universities to enhance cyber, A.I. capabilities [Special edition]. https://osintinsider.com/p/osint-insider-special-edition-1-north?utm_medium=web.
Rid, T. (2020). Active measures: The secret history of disinformation and political warfare. Farrar, Straus and Giroux.
Roshan, P. (2025). The Evolving Cyber Landscape: Capabilities and Cyber Diplomatic Efforts of Korean Peninsula. Journal of Regional Studies Review, 4(1), 1-14. https://doi.org/10.62843/jrsr/2025.4a046.
Sharma, A. (2024). North Korea’s cyber strategy: An initial analysis (ORF Issue Brief No. 755). Observer Research Foundation. https://www.orfonline.org/research/north-korea-s-cyber-strategy-an-initial-analysis.
Shin, A. (2025). Emerging applications and implications of artificial intelligence in North Korea. Asian Politics & Policy, 17(3), 70026. https://doi.org/10.1111/aspp.70026.
TRM Labs. (2025). North Korea and the industrialization of cryptocurrency theft. TRM Insights. https://www.trmlabs.com/resources/blog/north-korea-and-the-industrialization-of-cryptocurrency-theft.
UNODC (United Nations Office on Drugs and Crime). (2024, December 24). UN General Assembly adopts landmark convention on cybercrime [Press release]. https://www.unodc.org/unodc/en/press/releases/2024/December/un-general-assembly-adopts-landmark-convention-on-cybercrime.html.
UNSC (United Nations Security Council). (2017). Resolution 2397: Sanctions measures concerning the DPRK.
UNSC. (2023). Report of the Panel of Experts established pursuant to Resolution 1874 (2009) (S/2023/351).
U.S. Army. (2020). North Korean tactics (ATP 7-100.2). U.S. Army Training and Doctrine Command. https://www.ssri-j.com/MediaReport/DocumentUS/2020NorthKoreaTactics.pdf.
Valeriano, B., & Maness, R. C. (2015). Cyber war versus cyber realities: Cyber conflict in the international system. Oxford University Press.
Valeriano, B., Jensen, B., & Maness, R. C. (2018). Cyber strategy: The evolving character of power and coercion. Oxford University Press.
Yun, H. (2025). Reassessing North Korea’s Evolving Cyber Threat and South Korea’s Countermeasures. North Korean Review, 21(1), 70-91. https://www.jstor.org/stable/10.2307/27393827.