From crypto heists to battlefield deployments, North Korea has forged a grey-zone doctrine that funds its weapons programme and evades sanctions without triggering open war
North Korea has engineered one of the most sophisticated grey-zone strategies of the 21st century. It is a deliberate, multi-domain campaign of coercion, theft, and covert influence that operates in the space between war and peace. From record-breaking cryptocurrency heists and AI-augmented social engineering to spy satellite launches, battlefield deployments in Eastern Europe, and the quiet infiltration of Western tech firms by fake IT workers, Pyongyang has systematically weaponised ambiguity. This article maps the architecture of the Democratic People’s Republic of Korea (DPRK)’s grey-zone playbook, assesses what it finances, and argues that the international response remains structurally inadequate.
Grey zone warfare refers to coercive actions that deliberately stay below the threshold of conventional armed conflict, a space where attribution is difficult, legal frameworks are ambiguous, and the cost-benefit calculus favours the aggressor. For a state as economically crippled and diplomatically isolated as the DPRK, operating in the grey zone is a structural necessity.
Pyongyang has almost no conventional economic leverage. It has, however, built a formidable asymmetric arsenal across five domains: cyber and cryptocurrency theft, human infiltration (IT workers and espionage), space-based reconnaissance, proxy military deployments, and disinformation. Each domain reinforces the others, and together they serve to expand its operational reach and finance its WMD programme without crossing the tripwire of kinetic war.
Pyongyang has almost no conventional economic leverage. It has, however, built a formidable asymmetric arsenal across five domains: cyber and cryptocurrency theft, human infiltration (IT workers and espionage), space-based reconnaissance, proxy military deployments, and disinformation.
The Lowy Institute Asia Power Index 2024 ranked DPRK seventh in cyber capabilities, ahead of Japan, Taiwan, and India, despite its near-zero domestic internet penetration. That paradox is the key to understanding Pyongyang’s grey-zone logic: minimal exposure, maximum offence.
No element of DPRK's grey zone strategy has been more consequential than its systematic looting of the global cryptocurrency ecosystem. Between 2017 and 2023, UN sanctions monitors documented 58 cyberattacks on crypto platforms, resulting in approximately US$3 billion in losses. But the pace has since accelerated dramatically. In 2025 alone, DPRK-linked groups stole US$2.02 billion in cryptocurrency, a 51 percent year-on-year increase, pushing their verified all-time total to US$6.75 billion. The single largest heist in crypto history occurred on 21 February 2025, when hackers compromised the Dubai-based exchange Bybit for US$1.5 billion. North Korea’s Lazarus Group was responsible for 76 percent of major attacks in 2025.
The laundering network is equally sophisticated. Stolen assets are cycled through Decentralised Financing (DeFi) protocols, no-KYC exchanges, cross-chain bridges, and Chinese-language payment processors. The Cambodia-based Huione Group emerged as a critical node, reportedly processing at least US$4 billion in DPRK cyber proceeds between 2021 and early 2025, before the US Treasury barred American institutions from transacting with it.
Pyongyang has, in effect, built a shadow national treasury: a crypto reserve that bypasses every SWIFT channel, sanctions regime, and correspondent banking restriction.
France's UN delegation has publicly stated that illicit cyber activity accounts for up to 50 percent of the DPRK's weapon of mass destruction (WMD) financing. Pyongyang has, in effect, built a shadow national treasury: a crypto reserve that bypasses every SWIFT channel, sanctions regime, and correspondent banking restriction.
The DPRK’s hacking groups, such as Lazarus, Andariel (APT45), and Kimsuky (APT43), have now shifted to adding a human layer to the attack surface. DPRK operators are no longer simply exploiting software vulnerabilities. They are running elaborate social engineering campaigns that the FBI has described as “difficult to detect, even by those well versed in cybersecurity". Operatives conduct deep pre-operational surveillance on LinkedIn and other professional networking platforms, crafting fictional personas as recruiters, venture capital investors, and AI company representatives to approach engineers and executives at crypto and DeFi firms.
Typically, targets are led through a convincing fake hiring process that culminates in a “technical interview” requiring them to run code or open documents, thereby delivering malware (notably TraderTraitor and AppleJeus) that siphons credentials, source code, and VPN access to employers’ systems. In another variant, senior executives are approached by fake investors who use staged pitch meetings to map internal networks.
The newly emerging AI integration is particularly alarming. The DPRK's Research Center 227, a dedicated AI cyber warfare unit, has reportedly been established to develop AI-assisted hacking and information theft capabilities. Operatives are already deploying tools such as ChatGPT, FaceSwap, and generative coding assistants to create synthetic identities, enhance phishing payloads, and automate offensive operations at scale. Microsoft and OpenAI have both confirmed that the DPRK-linked group Emerald Sleet is leveraging large language models to facilitate cyberattacks.
Perhaps the most structurally novel element of the DPRK’s grey-zone strategy is the deployment of thousands of DPRK nationals as remote IT workers embedded inside Western technology and crypto firms, where they generate income, steal intellectual property, and serve as persistent insider threats.
Using fabricated identities, AI-generated facial deepfakes, and laptop farms operated by foreign facilitators, DPRK workers have successfully obtained remote employment at firms in the United States, Europe, and beyond. The US Department of Justice indicted two DPRK nationals and three facilitators in January 2025 for running a multi-year fraudulent IT worker scheme that generated direct revenue for Pyongyang.
South Korea's National Intelligence Service (NIS) has reported that 80 percent of cyberattack attempts against South Korea’s public sector by state-sponsored groups originate from DPRK-linked actors. This underscores the degree to which the IT worker programme serves intelligence collection, not just financial ends.
The DPRK’s space programme is inseparable from its grey-zone strategy. Every satellite launch simultaneously functions as a WMD test in disguise. UN Security Council resolutions explicitly recognise DPRK satellite launches as violations, viewing them as covers for ICBM technology development.
The DPRK’s space programme is inseparable from its grey-zone strategy. Every satellite launch simultaneously functions as a WMD test in disguise.
After two failed attempts, the DPRK successfully placed its first military reconnaissance satellite, Malligyong-1, into a sun-synchronous orbit at an altitude of 500 km in November 2023. The satellite is estimated to have a maximum imaging resolution of around one metre — below the threshold of militarily actionable intelligence — but it remains a significant symbolic and developmental milestone. Pyongyang claimed it had already transmitted imagery of the White House and the Pentagon, though no images were released, and foreign analysts remain sceptical of its operational capability.
Kim Jong Un pledged three additional reconnaissance satellite launches in 2024. A second attempt in May 2024 ended in a mid-air explosion over DPRK waters. The space race on the peninsula is now bilateral and openly competitive: South Korea, operating under a contract with SpaceX, had launched five military spy satellites by 2025.
The Russia angle is crucial here, as the DPRK is reportedly close to obtaining advanced Russian space technology, particularly guidance systems that could improve ICBM accuracy and satellite launch reliability. This technology transfer, transacted in exchange for troops and munitions, represents one of the most dangerous proliferation dynamics currently unfolding.
The deployment of DPRK combat troops to Russia's war in Ukraine constitutes the most dramatic grey zone escalation in a generation. In autumn 2024, Pyongyang dispatched approximately 11,000–12,000 soldiers—including elite Storm Corps special forces—to the Kursk region, their first foreign combat deployment since the Korean War. By mid-2025, Ukrainian intelligence assessed total deployments at potentially 30,000 troops.
The strategic transaction is transparent: in exchange for troops and munitions, including at least 100 ballistic missiles and an estimated nine million artillery shells transferred to Russia in 2024 alone, Pyongyang receives battlefield combat experience, food and energy aid, and advanced military technology, including potential submarine development assistance and satellite guidance systems.
This exchange is rewriting the security calculus in the Korean Peninsula. DPRK soldiers have gained combat experience unprecedented since the Korean War. Russia has granted North Korea technological concessions that Pyongyang could not obtain through any other channel. Meanwhile, Russia’s April 2024 veto ended the mandate of the UN Panel of Experts that had monitored sanctions on the DPRK, removing the UN’s primary mechanism for sanctions enforcement.
The international response has been substantive but structurally inadequate. A US-Japan-South Korea trilateral secretariat was institutionalised in November 2024. An 11-nation Multilateral Sanctions Monitoring Team (MSMT) was formed in February 2025 to partially fill the void left by the dissolved UN Panel. South Korea has adopted an “offensive cyber defence” posture aligned with the US Defend Forward doctrine. Joint cyber exercises have expanded. The Office of Foreign Assets Control (OFAC) has sanctioned multiple DPRK-linked cyber actors and facilitator networks.
China and Russia remain outside these monitoring frameworks. The global cryptocurrency regulatory landscape remains fragmented, with significant KYC blind spots that DPRK money launderers continue to exploit. Western AI platforms currently lack effective safeguards against state-directed cyber operations.
However, China and Russia remain outside these monitoring frameworks. The global cryptocurrency regulatory landscape remains fragmented, with significant KYC blind spots that DPRK money launderers continue to exploit. Western AI platforms currently lack effective safeguards against state-directed cyber operations. The DPRK, meanwhile, is estimated to hold a billion dollars in unlaundered cryptocurrency reserves, a war chest that grows each year. The United States and its allies remain "calibrated to an earlier era" of DPRK threat assessment.
The international community must treat the DPRK’s crypto theft architecture as a WMD financing mechanism, not merely as cybercrime. Interdiction of DPRK crypto flows deserves the same diplomatic urgency and inter-agency resources as conventional non-proliferation enforcement. The Huione designation was a step in that direction and must be replicated systematically.
Western governments must develop AI-specific attribution and enforcement capacities for state-sponsored cyber operations. Research Centre 227's exploitation of open commercial AI tools is a direct consequence of the absence of any export or use-control regime governing AI applications in offensive cyber operations.
Research Centre 227's exploitation of open commercial AI tools is a direct consequence of the absence of any export or use-control regime governing AI applications in offensive cyber operations.
The Russia-DPRK military axis demands a coordinated deterrence posture that links sanctions enforcement on the Korean Peninsula to the costs of Russian-DPRK technology transfers. Allowing Moscow to provide Pyongyang with space and missile-guidance technology as a silent quid pro quo for Ukrainian battlefield losses would represent a proliferation failure of the first order.
The DPRK has engineered its grey-zone strategy with deliberate precision. Its cyber–crypto nexus, its ghost workforce embedded inside Western tech firms, its nascent satellite capability, and its battlefield alignment with Russia are not separate phenomena. They are interlocking components of a single, sanctions-defying strategic architecture designed to sustain a nuclear-armed, internationally isolated regime indefinitely. Pyongyang is no longer merely hiding; it is operating at scale and with increasing impunity.
Soumya Awasthi is a Fellow with the Centre for Security, Strategy and Technology at the Observer Research Foundation.
Sweekriti Pathak is a Research Intern at the Observer Research Foundation.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Dr Soumya Awasthi is a Fellow, Centre for Security, Strategy and Technology at the Observer Research Foundation. Her work focuses on the intersection of technology and ...
Read More +
Sweekriti Pathak is a Research Intern at the Observer Research Foundation. ...
Read More +
PREV
