Back to Home

North Korean IT networks: cyber training and financing

Blogger ZachXBT exposed North Korean IT group teaching reverse engineering through 43 modules on Hex-Rays and IDA Pro. After publication, payment site was shut down. Such networks provide multi-million income for DPRK, increasing global cyber risks.

North Korean Cyber Schools: How IT Workers Earn Millions
Advertisement 728x90

North Korean IT Networks: Cyber Skills Training and Their Role in Shadow Financing

An analysis by security researcher ZachXBT revealed the structure of a North Korean IT group, where participants undergo training in reverse engineering tools for cyber operations. Following the publication, a linked payment resource was disconnected, highlighting the vulnerability of such networks.

Structure and Training Methods

North Korean IT workers form organized networks to master specialized skills. In one cluster from November 2025 to February 2026, an administrator distributed 43 modules on Hex-Rays and IDA Pro tools. These materials included:

  • Code disassembly;
  • Software decompilation;
  • Local debugging;
  • Remote debugging.

Such courses prepare specialists for practical tasks in cyberspace. Unlike more mature groups, this cluster demonstrates an initial level of organization but already generates revenue through shadow schemes. The broader context indicates that North Korea utilizes such initiatives to bypass international restrictions, directing funds toward state needs.

Google AdInline article slot

Reaction to Exposure and Operational Measures

ZachXBT’s publication triggered an immediate reaction: the group’s internal payment website vanished from the internet the following day. The analyst archived the data beforehand, allowing the investigation to continue. This event illustrates weaknesses in the infrastructure—from standard passwords to a lack of external threat monitoring.

Experts note that such groups lag behind structures like AppleJeus and TraderTraitor in efficiency. The latter demonstrate a higher level of coordination, inflicting greater damage on global cybersecurity. Revenue from IT workers is estimated in the millions of dollars annually, reinforcing the role of these networks in North Korea’s economy.

Key Takeaways

  • North Korean IT groups train on reverse engineering for cyber operations using Hex-Rays and IDA Pro.
  • Exposure led to the shutdown of the payment site, confirming infrastructure vulnerabilities.
  • Such networks generate multi-million dollar revenues, funding state programs.
  • Compared to AppleJeus and TraderTraitor, the identified cluster is less organized but represents a growing threat.
  • The incident underscores the need to strengthen global monitoring of shadow IT networks.

Context and Global Implications

North Korean cyber activity evolves amidst strict sanctions. The reasons for developing such networks lie in limited access to traditional finance, stimulating the use of digital methods. Consequences affect the crypto industry: victims lose funds, and companies are forced to invest in protection.

Google AdInline article slot

Impact on the industry manifests in increased attacks on financial platforms. Regulators, including the US and EU, are tightening control over offshore IT services. For businesses, this means verifying contractors for ties to high-risk regions. The long-term effect is a redistribution of resources toward cybersecurity, where tools like IDA Pro become key for both attackers and defenders.

The overall trend shows that shadow IT networks of isolated states integrate into the global economy via cryptocurrencies and freelance platforms. This requires coordinated measures from the international community, including sharing data on suspicious clusters.

— Editorial Team

Google AdInline article slot
Advertisement 728x90

Read Next