SAN JOSE, Calif., May 14, 2025 (GLOBE NEWSWIRE) -- DTEX Systems, the trusted leader of insider risk management, has released a groundbreaking report exposing North Korea’s (DPRK) global cybercrime network – revealing a mafia-like operation fuelled by survival, not ideology. The report details a comprehensive blueprint of DPRK’s cyber hierarchy, a covert talent pipeline, and direct ties to the regime’s Weapons of Mass Destruction (WMD) program.

For the first time, researchers link DPRK cyber operatives to sanctioned WMD efforts and warn of an escalating AI-enabled threat from Research Center 227, a cyber-physical warfare hub. The findings underscore the urgency of developing a new security paradigm for mitigating this type of threat.

Going beyond traditional threat models, the report homes in on the underreported human drivers behind DPRK’s operations: in a state defined by scarcity, cybercrime offers operatives access to food, shelter, and healthcare. This survival-based incentive structure underpins the regime’s cyber expansion and complicates attribution efforts.

“While traditional attribution models like numbered Advanced Persistent Threats (APTs) have served the community well, DPRK’s operations present a more complex picture – one that blends cybercrime, espionage, and geopolitical influence,” said Michael Barnhart, DTEX Principal i³ Insider Risk Investigator and lead author of the report.

“This is less a typical state actor and more akin to a globally dispersed, mafia-style network, where motivations are driven not just by political power, but by a survival mentality rooted in deep economic hardship and familial obligations. Our goal is to expose the human and organizational factors critical to anticipating their next move.”

World-leading cybersecurity expert Kevin Mandia, founder of Mandiant and now on DTEX’s Advisory Board, said the DPRK threat is bigger than many people realise.

“Every business leader and security professional needs to recognize the risks of accommodating remote workers. To empower companies to trust their remote resources is paramount – especially with North Korea leveraging the opportunity to fund its weapons program,” Mandia said.

“The threat of unintentionally hiring North Korean IT workers is larger than most people realize. It’s covert, it’s global, and it’s active right now – which is why industry and government need to work together to come up with solutions to counter the threat.”

National security expert and former Principal Deputy Director of National Intelligence, the Honorable Sue Gordon (also a member of DTEX’s Advisory Board) said the DPRK operates unlike any other nation state.

“DPRK’s cyber operations challenge the traditional nation-state playbook – merging cryptocurrency theft, espionage, and nuclear ambition within a self-funded system driven by profit, loyalty, and survival,” Gordon said.

“Recognizing it as a family-run mafia syndicate unblurs the lines between cybercrime and statecraft. This report pulls back the curtain on their inner workings and psychology, revealing how deeply embedded they already are within our workforce – providing the context needed to anticipate their next move.”

Key findings from the report include:

• DPRK Organizational Blueprint: For the first time, an unclassified organizational chart maps the structure, roles, and communication chains within the DPRK’s cyber ecosystem, providing a roadmap for more accurate attribution and proactive defense strategies.
• Human Motivations Behind DPRK Cyber Operations: The report reveals that DPRK operatives are motivated not by ideology but by survival. In a country with limited resources, participation in cybercrime offers rare access to basic needs, fuelling persistence and loyalty among its workforce.
• Decades-Long Cyber Talent Pipeline: The report traces North Korea’s investment in a scalable cyber education system that nurtures talent from childhood through college, continuously feeding technically trained operatives into Research Center 227 as well as other threat groups and offensive military units.
• Early Warning Indicators for Embedded Threats: By connecting the full lifecycle of DPRK’s cyber workforce – from recruitment to deployment – this report offers behavioral and technical markers that can help organizations identify and remove DPRK operatives before significant damage occurs.
• Evidence of Unit 227’s Coordinated Global Infiltration: The report reveals how DPRK’s elite Research Center 227 is infiltrating critical infrastructure worldwide, moving beyond espionage into sustained, embedded access within commercial and government systems.
• Identification of Active DPRK Operatives: Two active DPRK IT operatives are identified, with detailed profiles, digital aliases, and a breakdown of their tradecraft, including image manipulation and credential fraud used to gain access to sensitive systems.
• Direct Links to WMD Programs: The report identifies a North Korean academic institution funnelling resources and personnel to a sanctioned weapons program, with verified evidence that IT workers are being deployed to directly support WMD production.
  

DTEX CEO Marshall Heilman emphasized that the speed and sophistication of DPRK-linked infiltration – amplified by AI – requires a unified defense response.

“This report reflects the ongoing collaboration across the intelligence community, supported by DTEX, to better understand an evolving and increasingly complex threat landscape,” Heilman said.

“North Korea is blending AI, cybercrime, and kinetic capabilities into a hybrid threat model that challenges conventional defense boundaries. This isn’t a forecast – it’s a call to action. Our goal is not to alarm, but to provide the foresight needed to address the growing sophistication of this global threat.”

The report represents the culmination of research from a network of intelligence professionals and cybersecurity experts, with supporting investigative findings from DTEX. It provides a structured framework for security practitioners, policymakers, and risk leaders to anticipate DPRK’s next move and proactively defend against these increasingly complex and multifaceted threats.

• Read the report, Exposing DPRK’s Cyber Syndicate and Hidden IT Workforce, here.
• For the latest DPRK-linked behavioral indicators and email IOCs, read and bookmark our Threat Advisory to stay up to date on this evolving threat.
• To request a threat briefing with DTEX on the DPRK threat, click here.
• Join DTEX Principal i3 Insider Risk Investigator Michael Barnhart and CFTI host Christopher Burgess on May 28 for a webcast on the key insights of this groundbreaking report.
• Read the Michael Barnhart’s blog about the report here.
  
  

About DTEX Systems
As the trusted leader of insider risk management, DTEX transforms enterprise security by displacing reactive tools with a proactive solution that stops insider risks from becoming data breaches. DTEX InTERCEPT™ consolidates Data Loss Prevention, User Activity Monitoring, and User Behavior Analytics in one lightweight platform to enable organizations to achieve a trusted and protected workforce. Backed by behavioral science, powered by AI, and used by governments and organizations around the world, DTEX is the trusted authority for protecting data and people at scale with privacy by design.

To learn more about DTEX, please visit dtexsystems.com

Connect with DTEX: LinkedIn | Twitter | YouTube

Media Contact
Mariah Gauthier
dtex@highwirepr.com