Photo: ED JONES/AFP via Getty Images
North Korea has strategically leveraged its connections with third countries such as China, Russia, and Southeast Asian nations to build a sophisticated global cyber operations infrastructure. In recent years, its illicit activities have increasingly focused on cryptocurrencies, which serve multiple purposes: generating revenue to sustain the regime, financing its nuclear and missile programs, evading international sanctions, and collecting intelligence. Notably, Southeast Asia has emerged as a critical region within North Korea’s cyber network, functioning both as a target and a base of operations.
North Korea employs four main methods to leverage third countries for its cyber operations. First, North Korea leverages third-country networks and IT infrastructure for its cyber operations. To compensate for its limited domestic internet infrastructure, North Korea routes attacks through networks in countries such as China and Russia—an approach that obscures operational origins and complicates international attribution.
China is considered the country most closely linked to North Korea’s cyber activities and is known to provide various forms of infrastructure support. Northeastern Chinese cities, such as Shenyang, have been identified as major hubs where North Korean hackers operate in close proximity to the North Korean border. IP addresses originating in China were used in significant attacks, including the 2014 Korea Hydro & Nuclear Power hack and the 2016 breach of South Korea’s cyber command. Additionally, Park Jin Hyok, a member of the Lazarus Group, was confirmed to have worked for Chosun Expo, a North Korean front company based in China. These examples indicate that China has served as both a physical base and a relay point for North Korean cyber operations.
Russia began supplying internet access to North Korea in 2017 by installing a fiber-optic cable across the Korea-Russia bridge. Russian IP address ranges have also been used in North Korea’s cyber campaigns. These IPs have supported overseas IT deployments, facilitated recruitment and communication for IT personnel, and enabled cryptocurrency theft and money laundering operations. Notably, BlockNovas—a fake company recently established by North Korea in the United States—was also found to be using a Russian IP address.
Since the outbreak of the Russia-Ukraine war, cooperation between the two countries has deepened, and North Korea’s reliance on Russian infrastructure has increased. By 2023, internet infrastructure in the area had expanded, and satellite imagery indicated increased cross-border activity.
In Southeast Asia, North Korea has distributed malware, backdoors, and unauthorized access tools into the digital infrastructure of countries like Cambodia, Thailand, and Indonesia to establish long-term footholds. These compromised systems allow for sustained control, concealment of operations, and staging points for future attacks. For example, the 2024 Shrouded Sleep malware campaign by North Korea’s APT37 primarily targeted Cambodia. However, other countries in the region—such as Vietnam, Laos, and Thailand—may likewise have been impacted.
Second, North Korea launders illicit cyber proceeds through partnerships with regional criminal networks. To launder the funds obtained through cyber operations, North Korea actively exploits Southeast Asia’s vulnerable financial environment and its links to local illicit actors. Casinos and cryptocurrency exchanges in countries such as Myanmar, Thailand, Laos, and Cambodia have functioned as key nodes for money laundering. According to UN Security Council expert panel reports, groups like Lazarus have operated across these countries, taking advantage of weak regulations and high-volume cash conversion channels in the local crypto and casino infrastructure.
Cambodia, in particular, has emerged as a laundering hub due to its loosely regulated financial and gambling sectors. In May 2025, the U.S. Financial Crimes Enforcement Network (FinCEN) designated the Cambodia-based Huione Group as a primary money laundering concern and imposed restrictions to sever its ties with the U.S. financial system. FinCEN reported that between 2021 and 2025, approximately $37.6 million in cryptocurrency linked to North Korea had been laundered through Huione, with indications of direct ties between Huione executives and North Korean actors.
Huione subsidiaries, including Huione Guarantee and Huione Crypto, have also played a central role in enabling cyber fraud and shielding illicit assets. The former provides infrastructure and technical tools for scams, while the latter issues stablecoins that cannot be frozen, allowing North Korea to bypass regulations and convert proceeds into ostensibly legitimate assets. This not only enables sustained revenue generation from cyber operations but also highlights a deeper partnership between North Korea and local criminal ecosystems—one that poses an increasingly serious threat to international security.
The third tactic involves dispatching North Korean IT workers abroad to generate revenue and support cyber operations. These individuals often assume false identities or disguise themselves as nationals of third countries such as China, Russia, various African nations, and Southeast Asia to gain employment with foreign companies. Using tools like virtual private networks and remote monitoring and management software, they conceal their true locations by posing as remote workers or local developers based in the United States or Europe. When working as freelancers, they create fake profiles and portfolios to deceive employers, winning contracts and receiving payment in cryptocurrency to avoid financial tracking. The UN estimates that these activities generate up to $600 million annually for the North Korean regime.
China and Russia are North Korea’s primary destinations for sending these IT workers. Some companies in China have helped North Korean IT workers obtain jobs and evade sanctions, while also providing them with equipment. In 2025, the U.S. Department of Justice indicted and arrested a Chinese individual who, acting as a U.S.-based facilitator, helped North Korea earn over $5 million. In Russia, two companies were sanctioned by the U.S. Department of the Treasury in 2024 for deliberately employing around 80 North Korean IT workers. North Korea has also sent IT workers to Cambodia, Laos, and the United Arab Emirates. Notably, Cambodian authorities even granted citizenship to a North Korean individual who had violated international sanctions.
The fourth involves directly targeting these countries for financial theft. An early example of financial theft is the 2016 cyberattack on the Bangladesh central bank’s SWIFT system, in which North Korea stole approximately $81 million, dealing a significant blow to the country’s economy. Another case is the 2022 attack on the Ronin Network, a sidechain used by the Vietnamese company Skymavis for its Axie Infinity game. This incident resulted in the theft of around $620 million worth of cryptocurrency and had wide-reaching impacts across Southeast Asia, affecting not only Vietnam but also countries such as the Philippines and Indonesia.
A major problem in countering North Korea’s cyber operations that exploit third countries is the persistent lack of effective international cooperation. The United States has imposed sanctions on Chinese and Russian individuals and entities that have directly or indirectly supported North Korea’s cyber operations, as well as on the Cambodia-based financial platform Huione, which is linked to North Korea. However, these measures have shown limited results. North Korea’s overseas IT workers have not significantly decreased, and Huione’s transaction volume remains high despite sanctions.
While these efforts are a step in the right direction, they also highlight the limitations of a single-country approach. To address North Korea’s strategic use of third countries’ infrastructure, systems, and labor markets, there is a need for a multilateral cooperation framework and concrete mechanisms to reinforce accountability among third countries.
First, there must be broader international participation in cryptocurrency regulation and stronger enforcement of Know Your Customer (KYC) and Anti-Money Laundering (AML) standards, particularly in jurisdictions that are vulnerable or non-compliant. Cryptocurrencies are widely used for cyber fraud, money laundering, and sanctions evasion—not just by North Korea but also by terrorist and criminal groups. In 2019, the Financial Action Task Force (FATF) issued recommendations that imposed AML and Combating the Financing of Terrorism (CFT) obligations on virtual assets and virtual asset service providers. Although more countries have joined the FATF regime over time, implementation remains weak. As of 2024, the FATF reported that 75 percent of jurisdictions either partially comply or do not comply at all with its standards. Several Southeast Asian and African countries—including Laos, Vietnam, and Nigeria—remain on the FATF grey list, indicating significant deficiencies in their AML/CFT frameworks despite formal commitments.
When funds flow into non-compliant jurisdictions, the traceability of financial transactions is disrupted, undermining the global AML/CFT framework. Moreover, cryptocurrency transactions through informal platforms such as peer-to-peer markets and the dark web remain largely unregulated, creating significant blind spots in oversight. The growing use of fast-exchangeable digital assets like stablecoins further amplifies risks.
North Korea has exploited these regulatory gaps. It launders stolen assets in jurisdictions with weak KYC/AML systems or low sanctions enforcement and uses informal platforms to bypass international controls. To counter this, countries must fully implement FATF guidelines and cooperate on strengthening KYC/AML frameworks. There is a need for enhanced surveillance of informal platforms and comprehensive regulatory policies covering emerging digital assets, including stablecoins.
Second, in response to cyber threats posed by state actors such as North Korea, the international community must strengthen state responsibility. The cyber norms established through the 2021 OEWG process were based on consensus among UN member states and are recognized as politically binding international commitments, rather than merely voluntary guidelines. In particular, OEWG Norm 13 (c) stipulates that “states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.” When notified by an affected state, the notified state is expected to take feasible steps to address the situation and cooperate in good faith under international law.
Nevertheless, information sharing and cooperation between affected states and transit or enabling states remain limited following cyberattacks, and there are very few instances where violators of these norms have been held accountable. North Korea continues to exploit the networks and infrastructure of third countries to conduct cyber operations, and in some cases, these activities appear to be tacitly tolerated or even supported due to shared interests. Notably, such implicit cooperation is no longer limited to North Korea’s traditional allies but is expanding to a wider range of states. For instance, the Huione case and instances in which sanctioned North Korean individuals have been granted citizenship illustrate regulatory gaps and possible complicity by third countries.
In 2024, UN member states reached an agreement on the draft United Nations Convention against cybercrime. This convention defines various types of cybercrime and imposes binding obligations on states to collect and preserve electronic evidence. Parties to the convention are required to ensure that service providers under their jurisdiction preserve designated data and that domestic legal frameworks allow authorities to lawfully access digital evidence. Furthermore, states are obligated to respond—under appropriate conditions—to requests from other states for investigative cooperation, evidence preservation, and information exchange.
A key feature of this convention is that it imposes explicit, binding obligations on states. The convention will open for signature and accession in October 2025 and will enter into force upon ratification by at least 40 countries. However, its effective implementation will depend heavily on the political will and institutional capacity of individuals. In this context, China’s role is especially important, given its position as a key enabler of North Korea’s cyber operations.
While Beijing has expressed support for the UN Cybercrime Convention—advocating broader definitions of cybercrime, penalties, and state-led judicial cooperation—it is now essential that this support be implemented in practice. China has both the capacity and the responsibility to play a constructive role in curbing North Korea’s growing cybercriminal activities. Without China’s constructive engagement, international efforts to curb North Korea’s expanding cybercriminal activities will remain limited.
Third, it is necessary to expand cyber capacity-building programs targeting third countries—particularly those in Southeast Asia, where North Korea operates key hubs. The 2021–2025 Final Report of the Open-Ended Working Group (OEWG) emphasized capacity-building as a top priority, recognizing it as a foundational element for advancing progress in other policy areas and promoting responsible state behavior. For transit states in particular, it is critical to strengthen their capabilities to detect and disrupt the abuse of their infrastructure for cyber operations, and to share information effectively with victim states. These efforts will help lay the groundwork for a more coordinated and robust international response.
The Association of Southeast Asian Nations (ASEAN) is leading regional efforts through the ASEAN Cybersecurity Cooperation Strategy 2021–2025, with Singapore at the forefront of promoting regional collaboration and capacity-building in cybersecurity. ASEAN has committed to implementing the 11 norms agreed upon in the 2015 UN Group of Governmental Experts and pledged that its member states will adhere to them. In 2024, ASEAN has also established the ASEAN–Community Emergency Response Team (CERT) to coordinate and facilitate information-sharing among national CERTs and disseminate best practices. Through the ASEAN–Singapore Cybersecurity Centre for Excellence, ASEAN supports legal, policy, and technical training and exercises. In response to cybercrime, ASEAN has created the ASEAN Cybercrime Operations Desk to develop intelligence, support investigations, and coordinate operations. Additionally, INTERPOL’s Innovation Centre in Singapore functions as a global hub for cybercrime response and digital forensics.
Japan has long been a key cybersecurity partner for ASEAN, launching the ASEAN–Japan Cybersecurity Working Group/Policy Meeting in 2009. It established the ASEAN–Japan Cybersecurity Capacity Building Centre in 2017 and has supported capacity-building in ASEAN countries like Thailand and Indonesia, focusing on addressing the region’s shortage of cybersecurity expertise. Australia has designated ASEAN as a core partner and has funded cybersecurity and capacity-building initiatives across Southeast Asia and the Pacific through its Cyber and Critical Tech Cooperation Program since 2016, with successive expansions of its budget.
Given this evolving ecosystem of regional cooperation, South Korea—as one of the primary targets of North Korean cyberattacks and a nation with advanced technical capabilities—should assume a more proactive leadership role. However, South Korea’s engagement in Southeast Asia has been relatively recent compared to Japan or Australia. Its cybersecurity-related Official Development Assistance targeting Southeast Asia remains limited relative to regional needs and the scale of cyber threats. In 2019, South Korea designated six ASEAN countries—including Cambodia and Laos—as priority partners for digital government and ICT cooperation. Nevertheless, general ICT-related Official Development Assistance (ODA) accounted for only about 1.7 percent of South Korea’s total ODA from 2015 to 2022. Cybersecurity projects are often treated as minor components of broader digital ODA, limiting their scale and impact. In 2023, South Korea launched a three-year ASEAN Cyber Shield program to enhance regional cooperation. While this marks a positive step, South Korea’s national cybersecurity strategy still lacks a clearly articulated vision of ASEAN as a key partner, indicating room for improvement in terms of strategic continuity and international leadership.
To overcome these limitations and pursue a more strategic regional partnership, the South Korean government should develop tailored cooperation strategies that reflect each country’s institutional gaps, capacity needs, and broader circumstances, while reinforcing bilateral cooperation channels for implementation. Countries such as Cambodia, Laos, and Myanmar—where links to North Korea are particularly strong—require special attention in this regard. In parallel, South Korea should deepen engagement with regional and multilateral platforms such as ASEAN to better align and amplify collective cybersecurity efforts. Closer collaboration with countries leading ASEAN cyber initiatives—such as Singapore and Japan—can further enhance this approach.
To effectively counter North Korea’s cyber operations, the international community must develop a cooperative framework grounded in shared responsibility. North Korea exploits third-country systems to evade attribution and launder funds, causing global damage. Addressing this challenge requires individual countries to strengthen their cyber defenses and take greater responsibility for their actions, while the international community supports the implementation of cyber norms and enhances capacity-building to limit North Korea’s ability to exploit third-country systems.
Sunha Bae is a visiting fellow in the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.
