The gangs of Pyongyang: A rogue’s gallery of North Korean hacking groups
Your guide to Kim Jong-un's high-earning cybercrime squads, from the Lazarus Group to Andariel.
Of the ‘Big Four’ countries in global cybercrime, North Korea is the wildcard to watch out for. North Korean hacking groups may be underpowered in terms of state-backed power compared to peers from China or Russia, but they are notorious for their boldness and ingenuity.
The activities of North Korean hacking gangs run the gamut - from state-sponsored ransomware to crypto heists and employment fraud. Read on for an overview of the main hacking groups and the threats they pose to both private and public sectors.
Lazarus Group
Lazarus Group has been active since 2009 and has been linked to major crypto heists, including a $1.5 billion theft from Bybit in February. Lazarus is also believed to be responsible for the Sony Pictures hack in 2014 and the theft of $101 million from the Bangladesh Central Bank in 2016. It is the most ambitious and formidable of all hacking groups in North Korea.
Andariel
Andariel is a sub-group of Lazarus that conducts espionage against the South Korean government and defence sectors, and the group stole 1.2 terabytes of South Korean defence data in 2022. Andariel also engages in financial crime such as targeting ATMs and bitcoin theft. Its revenue is believed to fund North Korean weapons development.
READ MORE: Kim Jong-unemployable: Exposing fake North Korean tech workers
Kimsuky
A noted collaborator of Lazarus and Andariel, Kimsuky’s social engineering tactics include impersonating journalists, fraudulent job posts on LinkedIn, and targeting government employees with fake online surveys. The bad news is that social engineering will only become easier with the development of AI. Thanks to groups like Kimsuky, we are fast approaching an online world where we cannot trust the evidence of our senses. It’s safe to assume that anything AI can generate (text, video, audio) will be leveraged for social engineering.
TraderTraitor
A subgroup linked to Lazarus, this gang specialises in crypto theft and they are noted for use of fake job postings designed to target crypto employees and distribute malware. TraderTraitor does what it says on the tin.
Read more on the CISA website.
H0lyGh0st
H0lyGh0st is linked to Andariel via shared infrastructure and targets small-medium sized businesses. H0lyGh0st’s proclaimed mission statement is to “close the gap between rich and poor” through Robin Hood-esque methods such as fraud, money laundering, extortion, and data theft.
Observant readers will have spotted the daisy chain of groups and subgroups all stemming from Lazarus. As the name suggests, Lazarus pride itself on staying alive and being difficult to get rid of. Law enforcement might break up one group, but it is almost impossible to stop the individual members from reassembling as another branch of Lazarus - like cutting the head off a hydra.
True to his Bond villain persona, Kim Jong Un sponsors these groups for global espionage - propping up the North Korean economy through their revenue. Cybercrime is no joke, but there is something uniquely menacing about the state-sponsored activities of Lazarus and its many offshoots.
Have you got a story or insights to share? Get in touch and let us know.
