BSides Pyongyang

When the imperialists store their coins in the cloud, we bring the thunder.

In the sacred mission of self-funding the revolution, the Democratic People’s Republic of Korea has achieved global excellence in crypto confiscation, transforming borderless finance into boundless opportunity. Learn how dedicated cyber-warriors track blockchain transactions, identify liquidity pools ripe for nationalization, and launder coins across mixers, cross-chain bridges, and NFT platforms until their origin is as unverifiable as a Western “election”.

No prior loyalty required. Coins will not be returned.

Many western companies will hire offshore but never knowingly from North Korea. Using my tips, knowledge, and threats, you can apply significant pressure to the right leadership at a fortune 50 company to get more hired in a western company making hundreds of dollars a day.

The DPRK has long established itself as the most prolific threat actor in the cryptocurrency ecosystem with over $2 billion dollars in thefts attributed to their various hacking groups in 2025 alone. When these major thefts from cryptocurrency services and exchanges occur it is widely reported that the North Korean regime uses these funds to advance their nuclear weapons and ballistic missile programs, but how exactly do they turn stolen digital tokens into hard currency and material goods? The answer lies in a complex system of money laundering that aims to provide the North Korean government access to global financial markets that they have been otherwise shut out of for decades.

We will examine what happens post-theft as North Korea races to secure clean funds and evade investigators. North Korea has mastered the art of money laundering through the use of bridges across blockchains, mixing services that obfuscate their connections to the funds, and the cooperation with Over-the-Counter (OTC) brokers and organized criminal networks throughout China and Southeast Asia. Throughout the years the DPRK has refined their techniques and adjusted their methods when confronted with resistance, by analyzing their Tactics, Techniques, and Procedures (TTPs) our goal is to equip investigators with the knowledge to disrupt one of the most successful criminal enterprises in history.

For decades, counterintelligence has been a chess match fought in the shadows… Agents and analysts using deception, misdirection, and patience to protect their state’s secrets while probing the vulnerabilities of others. But in cyberspace, the terrain of this ancient contest has shifted.

In this talk, we will explore how modern counterintelligence methods translate into the digital realm with a focus on operations attributed to and against the Democratic People’s Republic of Korea. Using open source data, log analysis, and case studies, we’ll walk through how signals can be spoofed, how false flags can be planted in code, and how even mundane process creation logs can be weaponized in counter-espionage campaigns.

The presentation will bridge lessons from traditional HUMINT and SIGINT tradecraft with cyber operations thus showing how counterintelligence isn’t just about stopping intrusions, but about shaping adversary perception, bending narratives, and maintaining operational security against global scrutiny.

Attendees will learn…

How adversaries conduct deception campaigns in logs, malware samples, and network traffic and memes.

Techniques to identify false signals versus genuine operations.

Practical takeaways for defenders: building resilience against both intrusions and distribution traps.

At the intersection of cybersecurity and statecraft, counterintelligence remains the art of making your adversary chase shadows. By studying its application in cyberspace, we can sharpen both our defenses and our understanding of global cyber power dynamics.

This is a continuation of my DEF CON Talk “North Korea’s Fur Shop: Poaching for Ferrets, Beavers, Otters and Capybaras”. In this talk we’ll dissect DPRK malware samples both from before and after the previous talk timeline. We’ll reverse engineer three insignia samples: QRLog (discovered by me), Docks (discovered by my team) and PyLangGhostRAT. This talk is friendly for beginners and is aimed to be enjoyed by people from different backgrounds and expertise levels interested in malware research and reversing.

North Korean IT workers are like cavities: They are a constant risk. If you do regular daily hygiene, you’ll avoid them. They’re not a huge deal when you find one. They might even lead to a fun story! Except every once in a while you don’t find them until it’s too late and you need the equivalent of a root canal.

But this is not your typical DPRK IT worker presentation. This is the story of finding a cluster of hacking activity targeting North Korean IT workers. I will talk about how I found it, how I connected to it to a named cluster, simple pivots to find more activity, and then the process of arriving at an attribution assessment. This presentation will touch on TTPs of IT workers and multiple state sponsored hacking groups. Spoiler alert, this cluster was not attributed to who you think.

This talk traces the North Korean regime’s strategic decision to develop cyber operations as a critical, asymmetric capability, a vision rooted in Kim Jong Il’s 1990 proclamation that elevated cyber-attacks as a parallel to developing a nuclear weapons arsenal. The talk explores how North Korea’s Juche self-reliance philosophy has influenced the modern development of its cyber programs, creating a sophisticated, self-sustaining economic and military model essential for regime survival and the funding of its strategic weapons programs.

From its start in 1984 with the establishment of Mirim College, North Korea has produced a formidable educational pipeline of individuals to work in offensive cyber roles in the Reconnaissance General Bureau (RGB), Ministry of State Security (MSS), or as revenue-generating IT workers subordinate to the Ministry of Defense and the Munitions Industry Department. As the North’s cyber program has matured and evolved, this talk will trace how the fundamental North Korean “juche” philosophy intersects with the development and evolution of the regime’s cyber capabilities, including organizational shifts under the RGB, the significance of Research Centers prior to 2020, and the evolution of North Korean cyber operations from the Lazarus Group umbrella to the APTs tracked today.