Deterrence Under Pressure: Sustaining U.S.–ROK Cyber Cooperation Against North Korea

North Korea’s Cyber Evolution and Strategic Threat

North Korea’s cyberattacks have targeted a wide range of sectors globally, including medical institutions, defense contractors, and cryptocurrency platforms. Notably, the majority of these attacks have been directed at the United States and South Korea, both in volume and impact, with an increasing degree of scale, sophistication, and strategic consequence. According to South Korea’s National Intelligence Service (NIS), 80 percent of cyberattack attempts against South Korea’s public sector by state-sponsored or international hacking groups are attributed to North Korea, amounting to approximately 1.3 million attempts per day.

While North Korea’s early cyberattacks were primarily politically motivated, targeting military intelligence and engaging in psychological operations, the scope shifted notably toward financial gain after the 2016 UN sanctions, with economic objectives surpassing political ones. This transition became even more pronounced after 2018, as North Korea’s cyber operations increasingly focused on cryptocurrency-related activities, including large-scale hacks of cryptocurrency exchanges. These financially motivated campaigns have evolved into a key national revenue model, supporting the regime’s economic resilience under international sanctions. In February 2025, the North Korean Lazarus Group was reported to have breached Bybit, the world’s second-largest cryptocurrency exchange, stealing approximately $1.5 billion worth of digital assets—marking the largest single cryptocurrency theft to date. In 2024 alone, North Korea is estimated to have stolen $1.34 billion in cryptocurrency, making it a record year for financially motivated operations. Moreover, North Korea’s foreign currency–earning operations have expanded through disguised information technology (IT) workers and have extended beyond South Korea and the United States to countries such as India, the United Kingdom, Germany, and parts of South America. According to the UN Panel of Experts under the Security Council Sanctions Committee, North Korea is estimated to have acquired approximately $3 billion through cyber theft between 2017 and 2023.

The critical concern is that most of these illicitly obtained funds are believed to be funneled into North Korea’s weapons development programs, including nuclear and submarine capabilities. To support these programs, North Korea has also engaged in cyber-espionage activities targeting defense, aerospace, and other advanced industrial technologies. Anne Neuberger, who served as the U.S. deputy national security advisor for cyber and emerging technology, noted that more than half of North Korea’s nuclear weapons funding came from illicit cyber operations.

Against this backdrop, the Comprehensive Strategic Partnership Treaty signed between North Korea and Russia in November 2024 is expected to significantly influence North Korea’s cyber threat posture. The treaty includes provisions for mutual defense in cyberspace, cooperation in science and technology (including artificial intelligence), and joint efforts to shape international cybersecurity norms. The combination of Pyongyang’s cybercrime expertise and Moscow’s destructive cyber capabilities is likely to produce a more formidable and hostile cyber alliance, escalating the scale and complexity of North Korea’s cyber operations. Recent intelligence suggests that North Korean hackers have begun leveraging generative AI tools to identify targets and enhance their hacking techniques. Additionally, North Korea’s Reconnaissance General Bureau–linked group “Jumpy Pisces” is reportedly collaborating with the Play ransomware group, which is suspected of having Russian ties.

North Korea, which previously relied on custom-built ransomware like Maui and WannaCry, has recently expanded its tactics to include ransomware-as-a-service (RaaS) and initial access brokering, supporting the distribution activities of other ransomware groups. Microsoft recently reported that North Korean hackers used Qilin ransomware, developed by a RaaS operator, in recent cyberattacks. These practices not only amplify global ransomware threats but also obscure state involvement, complicating attribution and hindering accountability.

Challenges in Sustaining Allied Cyber Cooperation

In response, South Korea and the United States, as primary targets of North Korean cyber aggression, have intensified their cyber defense cooperation and adopted various measures to suppress North Korea’s illicit revenue generation. Bilateral efforts have included regular working-level meetings focused on ransomware, money laundering, and the disruption of North Korean IT operatives. These efforts have led to the identification and takedown of fraudulent accounts, the imposition of joint sanctions, and the partial recovery of stolen assets. Additionally, alongside Japan, the United States and South Korea established a cyber cooperation working group to monitor and counter North Korean cyber activity. The trilateral alliance has also institutionalized joint military-cyber drills, such as “Freedom Edge,” and released joint statements in 2023 and 2024 exposing major North Korean cryptocurrency hacks to raise regional awareness.

Despite ongoing efforts to strengthen cooperation through information sharing, joint sanctions, and technical collaboration, the U.S.–Republic of Korea (ROK) framework for responding to North Korea’s cyber threats remains largely dependent on the trust between national leaders and is grounded in diplomatic agreements. As a result, it suffers from structural instability and a lack of institutionalization. In particular, political transitions within either country can significantly impact the continuity and effectiveness of bilateral cooperation.

For instance, under the Trump administration, the U.S. approach toward Russia shifted dramatically, including the suspension of offensive cyber operations targeting Russian actors and the omission of Russia as a primary cyber threat actor in UN cybersecurity forums. Given that Russian networks have already been exploited as laundering channels for North Korean cybercriminals, a reduction in U.S. pressure on Russia could serve as both a direct and indirect enabler of North Korea’s illicit cyber activities. There is growing concern that Moscow and Pyongyang may deepen their collaboration by sharing advanced tools, infrastructure, or expertise; potentially co-developing malware, ransomware, or hacking utilities; and even integrating North Korean hackers into Russian-led cyber operations. Such developments would further enhance North Korea’s cyber capabilities.

Additionally, recent shifts in U.S. regulatory policy have raised alarms. The U.S. government has dismissed certain money laundering cases involving cryptocurrency platforms and, in 2022, lifted sanctions on Tornado Cash, a cryptocurrency mixer previously linked to North Korean laundering activity. These actions are part of a broader trend toward deregulation aimed at expanding the digital asset market. However, this loosening of digital finance oversight could weaken safeguards against financial crime. North Korea may exploit regulatory gaps by concealing identities, opening accounts, or moving funds covertly to evade tracking. More critically, it is believed that North Korea still holds a substantial amount of stolen cryptocurrency from previous operations that remains unlaundered, and may be waiting for favorable conditions—such as weakened global regulatory enforcement—to move these assets, posing a significant future threat.

On the Korean side, the Yoon Suk-yeol administration has taken a hardline stance against North Korea and China while actively strengthening cooperation with the United States and Japan. However, President Yoon’s impeachment raises the possibility of a change in government, casting doubt on the continuity of South Korea’s foreign policy. Should a new administration led by the opposition come to power, its approach toward North Korea and China may diverge from current policies—potentially adopting a more engagement-oriented posture toward both countries, and recalibrating its diplomatic stance toward Japan.

Building a Structured and Resilient Cyber Cooperation Framework

To effectively address North Korea’s cyber threats and strengthen bilateral cooperation, it is necessary to institutionalize joint mechanisms to ensure long-term sustainability. In this context, the regularization of cyber dialogue platforms is essential. Currently, the U.S.–ROK high-level cyber consultation body—the Senior Steering Group (SSG)—remains an ad hoc structure without formal institutionalization, and working-level channels also lack regularization. As a result, the United States–Republic of Korea Working Group to Counter Cyber Threats Posed by the Democratic People’s Republic of Korea, which was actively launched following the bilateral summit in August 2022, has not convened since its seventh meeting in September 2024.

Regularizing cyber consultations goes beyond symbolic meetings; it represents a critical step toward the structural consolidation of cyber cooperation. Through such institutionalized platforms, the two countries can share actionable intelligence, align threat perceptions and response strategies, monitor implementation progress, and enhance accountability and policy continuity. Ultimately, this would serve to strengthen mutual trust.

To address differences in the perception of North Korea’s cyber threat—differences often shaped by each country’s geopolitical context and diplomatic posture—and to strengthen a unified response posture, it is necessary to develop joint response guidelines for key issues. North Korea’s cryptocurrency exchange hacks, ransomware attacks, and disguised IT labor operations pose direct security and economic threats to both the United States and South Korea. In the case of such high-risk and high-frequency threats, a unified and coordinated response is more effective than fragmented national approaches. Therefore, beyond simple information sharing, the establishment of actionable joint response guidelines applicable during cyber incidents would serve as a practical and strategic step toward deeper cooperation.

Additionally, the United States and South Korea should actively identify and develop joint response measures that can impose real pressure on North Korea. Given North Korea’s limited integration with the global financial system and its extensive sanction evasion tactics, the options for direct, impactful responses remain constrained. Nevertheless, the two allies must pursue a combination of strategically selected measures and multilateral pressure tools to maximize deterrent effects within these limitations. Joint indictments, public attribution of cyber actors, and the creation of shared sanctions lists targeting North Korean hacking entities should be accompanied by efforts to mobilize broader international cooperation. Coordinated sanctions with global cryptocurrency exchanges, the disruption of laundering pathways, and continued efforts to track and freeze stolen crypto assets represent some of the most direct and effective tools to weaken North Korea’s cyber operations by denying their financial benefits.

North Korea’s cyber threat is not merely a criminal issue but a strategic military concern, as it is directly linked to its nuclear weapons development. Effectively responding to such a threat requires robust international cooperation. This cooperation must be institutionalized to remain resilient in the face of political transitions, and it must be supported by concrete, actionable guidelines and operational readiness in order to produce tangible results.

Sunha Bae is a visiting fellow in the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.