The North Korean cyber threat remains invisible but persistent: fake profiles, hacking, extortion, and infiltration have been targeting the West for years.
The digital information war is no longer theoretical. According to several reports from cybersecurity companies, North Korea has been waging a discreet but active campaign of cyberattacks since the 1990s, targeting in particular the United States, South Korea and their allies. Identity theft, targeted hacking, job scams, and extortion are allegedly carried out by teams trained at Mirim College, a specialized North Korean military school. However, doubts remain: is this a genuine structured threat, or a pretext exploited by certain Western actors to justify strengthening their own defenses? The lack of tangible evidence fuels both hypotheses.
A network of hackers trained at Mirim College
Since the 1990s, Mirim College, located in Pyongyang, has been training more than a hundred cyber warfare specialists every year. The curriculum includes advanced programming, network engineering, cryptography, and digital camouflage. These graduates are supposed to join the North Korean army’s electronic warfare units, but many are believed to be assigned to internal technical tasks, such as maintaining the government intranet.
According to intelligence agency estimates, North Korea has several hundred cyber operators organized into compartmentalized units. These personnel are believed to be working on:
- producing software for foreign entities via offshore platforms,
- targeted hacking for economic or political purposes,
- falsifying digital identities to infiltrate companies or systems.
However, there is little concrete evidence of these activities, which casts doubt on their actual effectiveness.
A real or fabricated threat?
One of the major paradoxes surrounding the North Korean cyber threat is its extreme secrecy. Unlike Russian or Iranian cyber operations, which are often documented by leaks or indirect claims, operations believed to be North Korean remain without any identifiable signature.
Several hypotheses may explain this lack of clarity:
- North Korea’s internet connections transit through China, allowing North Korean operators to pose as Chinese hackers.
- The technical capabilities of North Korean engineers, although solid, are considered insufficient to carry out large-scale operations without leaving traces.
- North Korea’s military architecture, inherited from Soviet doctrine in the 1950s, is based on rigid execution and little individual initiative, which is not compatible with the agility required in modern cyber conflicts.
Finally, some analysts suggest that the North Korean threat may be exaggerated by Western intelligence agencies or cybersecurity companies to justify budgets or internal reforms. However, the few actual infiltrations that have been identified prove that the threat, while limited, is not fictitious.
Preferred techniques: impersonation, extortion, infiltration
The actions attributed to North Korean cyber units often involve sophisticated digital fraud with specific operational objectives:
- identity theft to infiltrate HR databases or corporate information systems;
- employment scams, using fake technical profiles to get involved in sensitive projects;
- extortion via ransomware, demanding payments in cryptocurrency;
- collection of confidential data, sometimes sold on to third parties.
Attacks are often carried out by proxy, relying on:
- offshore freelancers or legal subcontractors based in other Asian countries,
- intermediary platforms such as Upwork or GitHub,
- stolen or artificially generated digital identities.
The lack of vigilance on the part of some companies, especially during the recruitment or onboarding phases, facilitates this type of intrusion. A typical example: a technology company hires a freelancer for a software project without physically verifying their identity. A single mistake is enough to allow a hostile agent to inject spyware into a critical system.
A culture of silence that reinforces impunity
The majority of incidents related to cyber infiltration remain undisclosed to the public for reasons of reputation or legal security. This silence benefits attackers:
- vulnerabilities are not made public, so they are not corrected quickly,
- victims do not alert other players in the sector, delaying coordinated responses,
- governments are reluctant to communicate for fear of exposing systemic vulnerabilities.
Major cybersecurity firms insist on proven solutions:
- enhanced multi-factor authentication,
- biometric or video verification during recruitment processes,
- behavioral analysis of user accounts,
- segmentation of access to critical infrastructure.
But the adoption of these solutions remains highly uneven across sectors, and some technology SMEs maintain very permissive security policies.
A discreet but global battlefield
If proven, North Korea’s digital information war constitutes an asymmetric strategic lever. Faced with superior military and economic powers, Pyongyang could favor digital sabotage, which is less costly, more discreet, and politically deniable.
This approach could aim to:
- disrupt Western economic structures,
- to finance North Korean operations through the theft of cryptocurrencies,
- to test the robustness of adversarial systems in anticipation of future military tensions.
South Korea, which is highly connected, remains the most logical target. However, the United States, Japan, Germany, and France are also mentioned in confidential reports as potential targets or countries that have already been infiltrated.
War Wings Daily is an independant magazine.