Asia

North Korea pairs tank-pageantry with cyber cashflow

Kim Jong Un appears with daughter at armoured drills, hacking and deepfakes fill sanctions-era hard-currency gap

Images

Deepfakes and an elite hacker school: How cybercrime is growing as a source of income for North Korea Deepfakes and an elite hacker school: How cybercrime is growing as a source of income for North Korea english.elpais.com
North Korean leader Kim and his daughter rides a tank together during army training North Korean leader Kim and his daughter rides a tank together during army training independent.co.uk

North Korea’s leader Kim Jong Un and his teenage daughter rode a tank together during military drills this week, according to photos distributed by the state-run Korean Central News Agency and reported by The Independent. The appearance came days after the pair attended rocket launches and a visit to a munitions factory, as Pyongyang framed the exercises as part of “war preparations” while the US and South Korea conducted their annual joint drills.

At the same time, North Korea’s most reliable export is not hardware but intrusion. El País reports that cybercrime has become a central source of foreign currency for the sanctions-hit state, with incidents linked to North Korean actors rising 130% in 2025 in CrowdStrike’s tracking. The report points to the $1.46bn theft of cryptocurrency from Bybit—described as the largest crypto heist on record—as a marker of scale, and argues that Pyongyang’s hacking ecosystem has become more specialised, with different units handling different phases of operations.

The two tracks reinforce each other. Military programmes require cashflow—hard currency for components, procurement networks, and the basic patronage that keeps a security state loyal. Sanctions restrict conventional exports, so the regime leans on activities where marginal costs are low and enforcement is slow: remote-worker infiltration, credential theft, and laundering through crypto rails. El País describes North Korean operators posing as foreign IT workers to obtain salaries and access, using “laptop farms” located in the United States to present domestic IP addresses and evade basic geofencing. Cloudflare’s threat reporting, cited by El País, says generative AI is now being used to improve these infiltrations, including deepfakes to pass video interviews.

The appeal is structural. Attribution is uncertain, victims are dispersed across jurisdictions, and the losses are often borne by private firms and retail holders rather than by states that can retaliate directly. Even when an operation is detected, the clean-up costs fall on the target: incident response, legal exposure, and reputational damage. For Pyongyang, a successful operation brings cash and, in some cases, access to technology and networks that are otherwise off-limits.

The domestic theatre—the tank ride, the choreographed closeness with Kim Ju Ae—serves a different audience. It signals continuity to elites and portrays readiness to a population with few independent information channels. But it also functions as a marketing layer for the regime’s priorities: the armed forces remain the centre of gravity, and the state’s legitimacy is tied to visible military capability.

A sanctions economy that cannot sell much still needs to pay its bills. This week, North Korea showcased a tank on a training ground, while investigators abroad kept tracing money that moved faster than any armoured column.