The United States, alongside other members of the Multilateral Sanctions Monitoring Team (MSMT), has brought attention to a recent report detailing the Democratic People’s Republic of Korea’s (DPRK) ongoing violations and evasions of United Nations sanctions through cyber operations and activities by IT workers. The report, initially released in October, was discussed at the United Nations.
According to the MSMT, North Korea regularly breaches UN Security Council resolutions through these activities. "These activities generate revenue for the DPRK’s unlawful weapons of mass destruction (WMD) and ballistic missile programs," the report states.
The MSMT document compiles 140 pages of information that had not been publicly available before, drawing from contributions by 11 UN member states and nine private sector companies. The full report is accessible on the MSMT website.
Since its release three months ago, North Korean cyber actors have reportedly stolen an additional $400 million in cryptocurrency. This brings their total theft for 2025 to more than $2 billion.
Among its findings, the MSMT notes that North Korean cyber units have targeted defense firms across North America, Europe, and Asia as well as critical infrastructure worldwide in efforts to steal sensitive data for WMD and missile development. The sophistication of these operations is described as nearing that of China and Russia, posing a significant threat internationally.
The report identifies over 40 countries and territories affected by or involved with DPRK's malicious cyber activity and IT worker schemes. From January 2024 to September 2025, North Korean operatives are said to have stolen at least $2.8 billion from cryptocurrency companies and users globally—including within the United States—through more than 40 named heists.
Networks based in China, Russia, Cambodia, Vietnam, and the UAE are implicated in helping launder funds or procure goods for Pyongyang. The report further notes that North Korean IT workers are present in at least eight countries: China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria, and Tanzania. Most are based in China—with estimates ranging from 1,000 to 1,500 individuals—and plans exist to send up to 40,000 laborers (including IT specialists) to Russia.
North Korean IT workers are increasingly participating in illicit cyber activities such as cryptocurrency theft and data extortion. Chinese infrastructure and financial institutions remain central to these operations; at least 19 Chinese banks have been used for laundering proceeds. Over-the-counter traders in China also play a key role in converting stolen digital assets into traditional currency.
