North Korean and Chinese Cybercrime Groups Fuel National Economies Through Sophisticated Attacks
State-linked cybercrime groups from North Korea and China are increasingly targeting financial firms and cryptocurrency assets in the Asia-Pacific region, with their illicit gains directly contributing to national GDP.
Cyber-threat groups linked to North Korea and China continue to aggressively target financial firms and cryptocurrency assets, particularly within the Asia-Pacific region. However, these operations are facing increasing resistance as national governments collaborate more closely with each other and private industry to track and seize cryptocurrency accounts associated with illegal activities.
CrowdStrike's recent 2026 Financial Services Threat Landscape Report highlighted that six of the nine major threat groups targeting financial services in the first quarter of 2026 have ties to China and North Korea. These groups were responsible for targeting at least 78 organizations across the Asia-Pacific and Oceania regions with data-leak-and-ransom operations. Cybercrime remains a significant revenue stream for some nations in the region, directly impacting their economic growth. For instance, in 2025, threat actors linked to North Korea reportedly stole at least $2.02 billion in cryptocurrency, a sum that represented a substantial 6% to 7% share of the nation's estimated $29 billion GDP.
Blockchain research firm Chainalysis, in collaboration with South Korea's National Police Agency, is working to investigate illicit fund flows and cryptocurrency. They emphasize that the tactics employed by these cybercrime groups are continuously evolving. "Our figures should be viewed as lower-bound estimates based on activity we've been able to attribute," stated Eric Jardine, head of research at Chainalysis. "North Korea's record-breaking 2025 performance, achieved with significantly fewer known attacks, suggests we may only be seeing the most visible portion of its activity."
North Korea is not alone in leveraging cybercrime for financial gain. Scam compounds operating in Cambodia, Burma (Myanmar), and Laos are estimated to generate tens of billions of dollars annually, contributing significantly to those nations' GDPs while inflicting billions of dollars in losses on victims. Social engineering remains the primary attack vector for these groups, with "pig butchering"—a combination of romance and investment scams—being the most prevalent approach. North Korean threat groups, however, often adapt social engineering tactics for business contexts, such as impersonating IT support personnel.
More recently, these groups have expanded their impersonation tactics to include recruiters for prominent web3 and AI firms. They conduct fake hiring processes designed to steal credentials, source code, and VPN or single sign-on access. Additionally, outreach from purported investors or acquirers is being used to identify pathways into high-value infrastructure. These evolving methods aim to replicate past successes, such as the $1.5 billion cryptocurrency theft from the ByBit exchange.
The support ecosystem for cybercriminals is also growing, particularly with the advancement of money laundering services that obscure the origins of funds derived from financial fraud and cybercrime. North Korean cybercriminals tend to move larger sums of money than other threat actors but rely on Chinese-language networks for fund transfers. While they often hold onto illicit gains for approximately 45 days before laundering, this is not a strict rule. They break down large transactions into smaller tranches and heavily utilize Chinese-language money movement networks, guarantee services, bridges, mixers, and decentralized finance (DeFi) protocols.
Regional governments and fintech firms are improving their capabilities in tracking illicit proceeds, leading to significant recoveries of funds associated with major thefts. In April, the U.S. Scam Center Strike Force took action against the Shunda cybercrime compound in Burma, charging two Chinese nationals and freezing accounts holding $700 million in cryptocurrency. Concurrently, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) restrained $700 million in cryptocurrency tied to these scam networks and sanctioned a Cambodian senator and 28 associates.
Overall, nations in the region are making progress in targeting groups like North Korean cyber-threat actors. "What we can say is that our ability to identify and disrupt their activities continues to improve," Jardine noted. "The most effective approach combines blockchain analytics, intelligence sharing, public-private collaboration, coordinated law enforcement action, and rapid response when stolen funds begin moving."