Chinese, N. Korean Threat Groups Build on Asia-Pacific Success
Dark ReadingArchived Jun 11, 2026✓ Full text saved
North Korea's gross domestic product (GDP) has grown, in part because of the cybercrime gains of groups linked to the nation, which target business and financial firms.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
CYBERSECURITY OPERATIONS
THREAT INTELLIGENCE
NEWS
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
Chinese, N. Korean Threat Groups Build on Asia-Pacific Success
North Korea's gross domestic product (GDP) has grown, in part because of the cybercrime gains of groups linked to the nation, which target business and financial firms.
Robert Lemos,Contributing Writer
June 10, 2026
4 Min Read
SOURCE: KMLS VIA SHUTTERSTOCK
Cyber-threat groups linked to North Korea and China continue to target financial firms and cryptocurrency assets in the Asia-Pacific region, but face increasing headwinds as national governments collaborate more closely with each other and private industry to seize cryptocurrency accounts linked to illegal activity.
In its recent 2026 Financial Services Threat Landscape Report, CrowdStrike noted that six of the nine major threat groups targeting financial services in Q1 2026 are linked to China and North Korea, while at least 78 organizations in the Asia-Pacific and Oceania regions were targeted by cybercriminals groups' data-leak-and-ransom operations. Cybercrime remains a massive problem in the Asia-Pacific region, because financial fraud and digital theft have become tremendous revenue streams for some nations. In 2025, for example, threat actors linked to the Democratic People's Republic of Korea (DPRK) stole at least $2.02 billion in cryptocurrency, accounting for a 6% to 7% share of the nation's $29 billion estimated GDP.
Related:Pakistan Spies on Afghan Finance Ministry With Xeno RAT
Blockchain research firm Chainalysis, which announced a collaboration with South Korea's National Police Agency this week to aid investigations into illicit flow of funds and cryptocurrency, stressed that the cybercrime groups' tactics continue to evolve.
"Our figures should be viewed as lower-bound estimates based on activity we've been able to attribute," says Eric Jardine, head of research at Chainalysis. "North Korea's record-breaking 2025 performance, achieved with significantly fewer known attacks, suggests we may only be seeing the most visible portion of its activity."
North Korea is not alone in profiting from cybercrime, of course. Cybercrime scam compounds in Cambodia, Burma (Myanmar), and Laos have garnered tens of billions of dollars annually, accounting for a significant share of those nation's GDPs, while also costing victims in the regions billions of dollars.
Cybercriminal Groups' Tactics Improving
Social engineering remains the most popular attack vector among cybercriminal groups, with the unique combination of romance scam and investment fraud — known as "pig butchering" — the most common approach. However, North Korean threat groups often employ social engineering with a business focus, such as masquerading as IT workers. Now they are moving toward other approaches as well, says Jardine.
"They are increasingly impersonating recruiters for prominent web3 and AI firms, running fake hiring processes designed to steal credentials, source code, and VPN or [single sign-on] access," he says. "We also observed outreach from purported investors or acquirers aimed at identifying access paths into high-value infrastructure."
Related:Tropical Blend: Cyber & Politics Ramp Up Across Latin America
Overall, the tactics of North Korea-linked groups are aimed at reproducing their greatest success: The $1.5 billion theft of cryptocurrency from exchange ByBit. Theft of currency from individual wallets increased to 158,000 incidents, but the total amount stolen declined.
Support services for cybercriminals continue to grow as well, with the success of money laundering services that allows funds from financial fraud and cybercrime to be mixed with legitimate funds to make investigations more difficult. The ecosystem surrounding money laundering has evolved in the past few years. North Korea cyber-criminals move larger amounts of money than other threat actors, but rely on Chinese-language networks for transferring funds. Often, North Korean groups hold onto gains for 45 days before laundering funds, but that is more of a pattern, not a rule, Chainalysis' Jardine says.
"They move larger amounts than other stolen-funds actors, but break transactions into smaller tranches and rely heavily on Chinese-language money movement networks, guarantee services, bridges, mixers, and [decentralized finance (DeFi)] protocols," he says.
Related:Latin American Cybercriminals Hoover Up Government Data
Nations Collaborating to Investigate Scams
Regional governments and fintech firms have become better at tracking the proceeds, with significant recoveries of the funds associated with recent major thefts. In April, the US joint-agency Scam Center Strike Force took action against the Shunda cybercrime compound in Burma (Myanmar), charging two Chinese nationals for allegedly managing the compound, locking accounts holding $700 million in cryptocurrency, and taking down more than 500 websites in connection with the scam.
In addition, the US Treasury Department's Office of Foreign Assets Control (OFAC) restrained $700 million in cryptocurrency tied to the scam networks and sanctioned a Cambodian senator and 28 other people in his network. Restraining involves obtaining a court order that prevents the movement of funds linked to crimes.
Overall, nations in the region have made progress targeting groups like North Korean cyber-threat actors and others, says Jardine.
"What we can say is that our ability to identify and disrupt their activities continues to improve," he says. "The most effective approach combines blockchain analytics, intelligence sharing, public-private collaboration, coordinated law enforcement action, and rapid response when stolen funds begin moving."
Read more about:
DR Global Asia Pacific
About the Author
Robert Lemos
Contributing Writer
Rob is an award-winning, veteran technology journalist of more than 30 years, reporting on global cybersecurity issues, the latest offensive and defensive technologies, malware incidents, cyber conflict, and AI's impact on software and cybersecurity.
A former research engineer, Rob has written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. He has received five awards for journalism, including Best Deadline Journalism (Online) in 2003 for his coverage of the Blaster worm. Rob also analyzes data on various trends using Python and R for both his reporting and his clients. Recent reports include analyses of the shortage in cybersecurity workers, annual vulnerability trends, and annual threat reports.
Rob holds degrees from Cornell University in Electrical Engineering and Computer Science (double major).
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
More Webinars
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT