North Korean hackers may be laundering cryptocurrency via cloud mining services, according to a report released today. 

Google-owned cybersecurity firm Mandiant said on Tuesday that a Pyongyang-baed hacking group known as APT43 “steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology.” 

Juche is the state ideology of North Korea and the official ideology of the Workers’ Party of Korea, attributed to founder Kim Il-sung.

Mandiant added that APT43—also known as Kimuski—likely makes use of hash rental and cloud mining services to wash the stolen cryptocurrency “clean.” 


Cloud mining services allow users to rent a computer system owned by someone else and use that computer’s hash power to mine cryptocurrencies. This saves miners from having to buy and set up their own local mining rigs. 

Even as APT43 benefits from crypto infrastructure, “APT43 has targeted cryptocurrency and cryptocurrency-related services,” the report said, adding that it uses profits to fund its operations. 

Mandiant said it has been observing APT43 since 2018. It is a “moderately-sophisticated” group of hackers working to support North Korea’s regime by “collecting strategic intelligence.”

North Korean hackers have long been operating in the crypto sphere—hacking protocols, stealing digital assets, or using special apps to hide criminal trails. They’ve stolen at least $1.2 billion over the last five years, some of it by pretending to be venture capital firms and investors that back crypto startups.


In a widely publicized move last year, the U.S. Treasury Department sanctioned “coin mixer” app Tornado Cash because North Korean hackers were using it to launder funds. 

State-sponsored Lazarus Group used Tornado Cash to launder over $96 million after it hacked blockchain protocol Harmony Bridge, blockchain analysts said.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.