On October 1, the European Union Agency for Cybersecurity (ENISA) published its annual Threat Landscape 2025 report, outlining “the most prominent cybersecurity threats and trends the EU faces in the current cyber threat ecosystem.”
An examination of the most prominent state-aligned cyber threats faced by the EU revealed, unsurprisingly, that Russia and China were the most active in targeting Union members over the reporting period (July 1, 2024 – June 30, 2025). Both sectoral and geographic targeting by hackers from these nations appeared to be aimed at achieving their sponsoring nation-state’s grand geopolitical ambitions, such as Russia’s ongoing conflict in Ukraine or China’s economic ambitions outlined in its Made in China 2025 (MiC25) or China Standard 2035 policies.
However, contrary to common perception, ENISA listed North Korean state-aligned cyber intrusions as the third most noteworthy threat to EU members, ranking them above more researched threat actors, such as Iran. ENISA’s findings further underscore the growing multipronged threat that North Korea poses to the West and the need for European policymakers to approach Pyongyang from a holistic approach, beyond a focus on its kinetic military activity vis-à-vis Russia.
When ENISA’s North Korea-related findings are examined more closely, it becomes apparent that the geopolitical motivations behind its cyberattacks closely align with global trends. Indeed, North Korean state-aligned cyber operations can be categorized mainly into two distinct, but at times overlapping, types: financially motivated or cyber espionage campaigns.
Cyber Theft as an Economic Lifeline
Indicative of the first category, ENISA stated that the “DPRK [Democratic People’s Republic of Korea]-nexus activity is heavily skewed towards EU private companies, with a focus on human resources, financial services (including crypto) and technology.” North Korea has been experiencing a sharp socioeconomic decline over the last decade. This decline is primarily due to the persistent long-term effects of international sanctions, as well as the shorter-term impacts of COVID-19-related border closures on Pyongyang’s trade with key economic partners, such as China and Russia.
North Korea’s recent increase in exports of arms, ammunition, supplies, and personnel to Russia for its war in Ukraine has presented an economic boon for Kim Jong Un’s regime. However, North Korea remains a cash-strapped nation, with the aforementioned inhibiting factors forcing it to gather much-needed funds through more illicit means, including cyberattacks against financial institutions and cryptocurrency exchanges.
According to a July 2025 report published by cryptocurrency analysis firm Chainalysis, North Korean hackers stole over $2.17 billion worth of cryptocurrency from cryptocurrency services in the first half of 2025. Chainalysis’s report found that countries typically targeted by Pyongyang, such as the U.S., Japan, and South Korea, had the most significant concentration of funds stolen globally. However, both ENISA and Chainalysis also noted that EU countries, such as Germany, also represented high-priority targets for hackers linked to Pyongyang.
Cyber Intelligence Operations Gathering in Europe
When examining the other category, the most common form of North Korean cyber espionage that poses a significant threat to the Union’s security was Pyongyang’s IT job-themed schemes. According to ENISA, North Korean hacking groups Lazarus and Famous Chollima were observed targeting “EU entities” involved in the defense, aerospace, media, health, energy, and government-related sectors.
While the ENISA report did not explain why these industries were targeted, there is a medium-to-high likelihood that North Korean hackers sought to gain strategic insights into ongoing defense build-up efforts from EU and NATO members, including their growing partnership with South Korea. For example, the European Commission announced in March 2025 its ReArm Europe Plan/Readiness 2030 goal, which proposes to “leverage 800 billion euros” to help EU states increase their defense capabilities. Similarly, the NATO members agreed during their 2025 summit in The Hague to increase their defense spending to 5 percent. This increase will comprise at least 3.5 percent for core defense requirements and 1.5 percent to enhance the alliance’s critical infrastructure resiliency/preparedness.
This defense build-up will require a significant increase in the EU’s current defense complex’s production output, something that is unlikely to happen without external partnerships. For example, in August 2025, the South Korean government finalized a $6.5 million deal with the Polish government to supply K2 Black Panther tanks for the Polish military. As a part of this deal, Seoul agreed to technology transfers and local production licensing, ensuring that South Korean defense firms transfer production, assembly, and MRO (maintenance, repair, and overhaul) technologies to Warsaw to help build up its domestic production capabilities.
While such partnerships will aid EU and NATO members in achieving their short and long-term industrialization goals, they also expand the digital vectors through which North Korean hackers could target EU defense firms and technology. More specifically, EU defense firms’ renewed defense-related efforts and external partnerships are likely to necessitate an increase in IT-related staff to manage the onboarding of new personnel and workflows, as well as expanding manufacturing profiles and R&D with partner organizations. It is in the chaos of this rapid expansion that North Korean hacking groups, such as Lazarus, are likely to exploit to gain access to critical defense infrastructure.
There are already early signs that such objectives could be within Pyongyang’s geopolitical agenda. For example, on April 1, Google’s Threat Intelligence Group (GTIG) published a report on North Korea’s utilization of fake IT workers to target European firms. Herein, GTIG claimed that at least 12 North Korean-operated personas were actively seeking employment in multiple European defense and government sector entities. As such, North Korean hacking groups, such as Lazarus, specializing in cyber espionage, could be utilized to gather intelligence on the rearmament progress of EU-NATO members, including the type of defense equipment they are producing, the quantities, where it is being shipped to or stationed, and their capabilities.
North Korea’s Growing Cybercrime Alliance With Russian Ransomware Gangs
In concert, another scenario is that North Korean hackers could sell access to the compromised Europe-based defense firms and government institutions to cybercriminal organizations. The credibility of such a scenario is increased when Pyongyang’s deepening relationship with Russian cybercriminal organizations is considered. For example, a 2024 report by cybersecurity firm Palo Alto Networks’ Unit42 found that North Korean cyber actors were collaborating with the Play ransomware gang.
The rationale of such a collaboration would likely be two-fold. First, it would aid Pyongyang in generating revenue for the Kim regime and its nuclear weapons program. Such initial access would likely only be sold after North Korean hackers had extracted all the R&D and government-related information they needed to enhance their own defense production capabilities and support their own geopolitical ambitions and those of their allies.
Second, this Pyongyang-ransomware collaboration would serve to disrupt Europe’s defense complex before it can pose a serious threat to North Korea’s sovereignty and geopolitical ambitions. Indeed, North Korea’s cybercriminal partners are highly likely to exploit their paid-for access to launch disruptive and/or destructive cyberattacks, such as ransomware or wiper malware. Such attacks would encrypt these firms’ systems and extort financial compensation from them.
With the average downtime from ransomware being only 24 days, the long-term impact on Europe’s overall defense resiliency is likely to be limited to moderate. Nevertheless, such short-term disruptions could impact the EU or NATO’s ability to respond sporadically and rapidly to sudden threats, such as an invasion, if the cyberattack is timed in concert with a kinetic operation. Nation-states, such as Russia, have demonstrated experience with this type of coordination during the early stage of the Ukraine conflict. Therefore, it is in this regard that they could coordinate closely with less experienced partners, such as North Korea, to help them gain real-life experience with hybrid warfare tactics.
North Korea’s Cyber Profile Changes the Complexity of the Ukraine Conflict
Further afield, the potential implications of such North Korea-enabled cyberattacks could prove not only detrimental for the EU and NATO’s resiliency efforts but also for countries it supports, such as Ukraine. In the case of European defense firms aiding the Ukrainian military, unfettered North Korean access to these digital networks could allow them to pass critical information, such as supply chain routes or critical vulnerabilities, on to Russian forces. This information would then be used to carry out targeted artillery or missile strikes against key weapons consignments and/or disrupt Ukrainian supply chains. Such a scenario threatens to deal a significant blow to Kyiv’s defensive position vis-à-vis Russia, enabling a more unrestrained Russian offensive in the Donbas region and beyond.
Conclusion: It’s Time to Build a Holistic Approach Toward North Korea
The findings outlined in the ENISA Threat Landscape 2025 report demonstrate that North Korea’s cyber activities are no longer a peripheral concern but a central component of its broader geopolitical strategy. North Korea’s potential to infiltrate critical industries and shape the outcome of regional conflicts highlights a pressing need for the EU and NATO to take a more holistic approach toward cyber resilience, industrial security, and supply chain protection.
Indeed, the EU and NATO need to refocus their approach toward North Korea to ensure that they no longer treat it as merely a rogue nation in a far-off region. Instead, it should be viewed as a current, not emerging, threat, whose influence extends far beyond the Korean Peninsula.