🇰🇵 APT38. North Korea's Reconnaissance General Bureau.
APT38 is a North Korean state-sponsored cyber threat group with a distinct focus on financial cybercrime to fund the North Korean regime.
Associated Names and/or Groups. NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM
Overview
APT38 is a North Korean state-sponsored cyber threat group that operates under the broader umbrella of Lazarus Group, with a distinct focus on financial cybercrime to fund the North Korean regime. Unlike other North Korean APTs that engage in espionage or disruptive cyberattacks, APT38 is primarily known for targeting financial institutions worldwide to steal funds and launder money.
First identified in 2018 by FireEye (now Mandiant), APT38 has been linked to the North Korean government’s efforts to circumvent international sanctions by hacking financial institutions, SWIFT payment networks, and cryptocurrency exchanges. The group is notable for its long dwell times within compromised networks, sophisticated money laundering techniques, and destructive tactics to erase forensic evidence after successful thefts.
APT38 has been responsible for some of the largest cyber-enabled bank heists in history, including the 2016 Bangladesh Bank heist, where over $81 million was stolen. The group’s attacks on cryptocurrency exchanges have also played a significant role in funding North Korea’s nuclear and ballistic missile programs.
In response, nations have sanctioned North Korean entities, strengthened financial cybersecurity defenses, and enhanced global intelligence-sharing. However, APT38 remains highly adaptive and continues to exploit emerging financial technologies for illicit gains.
Background and Attribution Indicators
APT38 was first publicly identified in 2018 by FireEye, which highlighted its financially motivated operations separate from traditional espionage-focused North Korean APTs. The group’s activities predate this discovery, with evidence suggesting it has been active since at least 2014.
APT38 operates under the broader Lazarus Group, a collective of North Korean cyber operators linked to Bureau 121, the Reconnaissance General Bureau (RGB)—North Korea’s premier cyber warfare agency. Unlike Lazarus Group’s politically or militarily motivated operations, APT38 is dedicated to financial cybercrime, generating revenue for the North Korean regime in response to crippling international sanctions.
The United Nations, U.S. Treasury Department, and cybersecurity firms have all linked APT38 to state-sponsored North Korean hacking activities, citing:
• Overlap in malware and tactics with other North Korean cyber groups.
• Operational patterns aligning with North Korea’s geopolitical and economic strategies.
• Infrastructure and money laundering networks connected to North Korean operatives.
Despite sanctions and global countermeasures, APT38 has evolved its operations, shifting towards cryptocurrency heists and decentralized finance (DeFi) exploits.
Focus
APT38 primarily targets financial institutions and cryptocurrency platforms, aiming to steal funds that can be laundered into the North Korean economy. Its key targets include:
1. Banks and Financial Institutions – Targeting SWIFT payment systems, financial networks, and interbank transfers to siphon large sums of money.
2. Cryptocurrency Exchanges and DeFi Platforms – Exploiting blockchain vulnerabilities, smart contract weaknesses, and phishing campaigns to steal digital assets.
3. ATM Networks and Payment Processors – Conducting cash-out operations through compromised payment networks and ATM fraud.
4. Financial Regulatory Bodies – Gaining intelligence on anti-money laundering (AML) measures to refine evasion techniques.
5. Defense and Critical Infrastructure (Secondary Targets) – Occasionally compromising defense contractors and energy firms for alternative revenue streams or strategic intelligence.
APT38’s main objective is monetary theft, but its secondary focus is disrupting financial institutions that impose sanctions on North Korea.
Attack Vectors and Lifecycle
APT38 employs a highly structured attack lifecycle, leveraging long dwell times (months to years) in targeted financial networks to ensure a high success rate.
1. Initial Access
• Spear-phishing campaigns targeting bank employees.
• Watering hole attacks on financial sector websites.
• Zero-day exploits and supply chain compromises.
2. Establishing Persistence
• Deployment of custom backdoors (e.g., EVILGUEST, BISTROMATH) to maintain long-term network access.
• Use of legitimate administrative tools to blend with normal activity.
3. Lateral Movement and Reconnaissance
• Mapping bank networks, SWIFT systems, and transaction processes.
• Capturing administrator credentials and exploiting interbank connections.
4. Exploiting Financial Systems
• Manipulating SWIFT payment systems to redirect funds to fraudulent accounts.
• Targeting cryptocurrency wallets, exchanges, and decentralized finance platforms.
5. Cashing Out and Laundering Funds
• Converting stolen funds into cryptocurrency and privacy coins (e.g., Monero, Tornado Cash).
• Routing funds through shell companies and money mule networks in China and Russia.
6. Destructive Cover-Up Operations
• Deploying wiper malware to erase logs and hinder forensic investigations.
• Disrupting banking networks to delay incident response efforts.
APT38’s methodology is highly resource-intensive but results in high-value financial thefts that directly fund the North Korean regime.
Major Attacks and Impact
1. Bangladesh Bank Heist (2016)
• One of the largest cyber bank heists in history ($81 million stolen).
• APT38 compromised SWIFT systems and attempted to steal $1 billion from the Federal Reserve Bank of New York.
2. Bank and Cryptocurrency Exchange Heists (2018-Present)
• APT38 has stolen over $1.2 billion from banks and cryptocurrency exchanges globally.
• The group has targeted financial institutions in Vietnam, Mexico, Taiwan, South Korea, and Africa.
3. ATM Cash-Out Operations (2019-Present)
• North Korean hackers have compromised ATM networks, allowing fraudulent withdrawals at scale.
4. Cryptocurrency Thefts (2020-Present)
• DeFi and NFT platforms increasingly targeted for blockchain exploits.
• Estimated $600 million stolen from Ronin Bridge (Axie Infinity) in 2022.
APT38’s cyber operations directly finance North Korea’s illicit programs, making them a critical geopolitical and cybersecurity concern.
Strategic Responses
United States and Western Nations
• Sanctions and asset freezes targeting North Korean financial networks.
• Bounty programs for information leading to APT38 operatives.
• Offensive cyber operations by U.S. Cyber Command to disrupt North Korean hacking infrastructure.
International Financial Institutions
• SWIFT network security enhancements and monitoring of high-risk transactions.
• Increased cooperation between banks and cybersecurity agencies to detect APT38 tactics.
Cryptocurrency Security Enhancements
• Regulations on cryptocurrency mixing services (e.g., Tornado Cash).
• Blockchain intelligence firms working to track and recover stolen assets.
Despite global countermeasures, APT38 remains a persistent financial cyber threat due to its state backing and financial necessity for the North Korean regime.
Outlook
APT38 is expected to:
• Expand into decentralized finance (DeFi) and NFT-related cyber heists.
• Utilize AI-driven cyber tactics for more effective phishing and intrusion campaigns.
• Target secondary financial systems such as insurance firms and fintech startups.
• Develop advanced obfuscation techniques to counter blockchain tracking measures.
As North Korea faces increasing economic isolation, APT38 will likely continue and escalate financial cyber operations to sustain its regime and fund weapons programs.
