On October 1, the European Union Agency for Cybersecurity (ENISA) published its annual Threat Landscape 2025 report, describing “the most important cybersecurity threats and trends facing the EU in the current cyber threat ecosystem”.
A review of the most significant state cyber threats facing the EU found, unsurprisingly, that Russia and China were the most active in targeting EU members during the period under review (July 1, 2024 to June 30, 2025). The sectoral and geographic targeting carried out by the hackers of these countries appeared to be aimed at achieving the grand geopolitical ambitions of the nation-state sponsoring them, such as the ongoing conflict between Russia and Ukraine or China’s economic ambitions outlined in its Made in China 2025 (MiC25) or China Standard 2035 policies.
However, contrary to common perception, ENISA ranked North Korean cyber intrusions as the third most significant threat to EU members, placing them above more studied threat actors, such as Iran. ENISA’s findings further highlight the growing multifaceted threat that North Korea poses to the West and the need for European policymakers to approach Pyongyang with a holistic approach, beyond focusing on its kinetic military activity vis-à-vis Russia.
When taking a closer look at ENISA’s findings regarding North Korea, it becomes clear that the geopolitical motivations behind its cyberattacks closely align with global trends. Indeed, cyber operations aligned with the North Korean state can be categorized primarily into two distinct, but sometimes overlapping, types: financially motivated campaigns or cyberespionage campaigns.
Cybertheft as an economic lifeline
As an indication of the first category, ENISA declared that the “DPRK [Democratic People’s Republic of Korea]-The Nexus business is heavily skewed towards EU private companies, with a focus on human resources, financial services (including crypto) and technology. North Korea has experienced a marked socio-economic decline over the past decade. This decline is mainly due to the lingering long-term effects of international sanctions, as well as the short-term impacts of COVID-19-related border closures on Pyongyang’s trade with its major economic partners, such as China and Russia.
North Korea recent increase in exports of arms, ammunition, supplies and personnel to Russia for its war in Ukraine presented a economic boon for Kim Jong Un’s regime. However, North Korea remains a cash-strapped country, with the aforementioned inhibiting factors forcing it to gather much-needed funds through more illicit means, including cyberattacks on financial institutions and cryptocurrency exchanges.
According to a July 2025 report published by cryptocurrency analysis firm Chainalysis, North Korean hackers stole $2.17 billion in cryptocurrency cryptocurrency services in the first half of 2025. The Chainalysis report found that countries typically targeted by Pyongyang, such as the United States, Japan and South Korea, had the largest concentration of stolen funds in the world. However, ENISA and Chainalysis also noted that EU countries, such as Germany, also represented priority targets for hackers linked to Pyongyang.
Bringing together cyber intelligence operations in Europe
Looking at the other category, the most common form of North Korean cyber espionage that poses a significant threat to the Union’s security is that of Pyongyang’s IT projects. According to ENISA, North Korean hacking groups Lazarus and Famous Chollima have been observed targeting “EU entities” involved in the defense, aerospace, media, healthcare, energy and government-related sectors.
Although the ENISA report does not explain why these industries were targeted, there is a medium to high probability that North Korean hackers sought to obtain strategic information about the EU and NATO members’ ongoing defense-building efforts, including their growing partnership with South Korea. For example, the European Commission announced in March 2025 its Rearm Europe Plan/2030 Preparation objective, which proposes to “mobilize 800 billion euros” to help EU states increase their defense capabilities. Likewise, NATO members agreed during their Summit 2025 in The Hague to increase their defense spending to 5 percent. This increase will include at least 3.5 percent for basic defense requirements and 1.5 percent to improve the resilience and readiness of the alliance’s critical infrastructure.
This defense strengthening will require a significant increase in the current production of the EU defense complex, which is unlikely without external partnerships. For example, in August 2025The South Korean government has finalized a $6.5 million deal with the Polish government to supply K2 Black Panther tanks to the Polish army. As part of this agreementSeoul agreed to technology transfers and local production licenses, ensuring that South Korean defense companies transfer production, assembly and MRO (maintenance, repair and overhaul) technologies to Warsaw to help strengthen its domestic production capabilities.
While such partnerships will help EU and NATO members achieve their short- and long-term industrialization goals, they will also expand the digital vectors through which North Korean hackers could target EU businesses and defense technology. Specifically, EU defense companies’ renewed efforts in defense and external partnerships will likely require an increase in IT staff to manage the onboarding of new personnel and workflows, as well as an expansion of manufacturing and R&D profiles with partner organizations. It is in the chaos of this rapid expansion that North Korean hacker groups, such as Lazarus, are likely to exploit to gain access to critical defense infrastructure.
There are already early signs that such goals could fit into Pyongyang’s geopolitical agenda. For example, on April 1, Google’s Threat Intelligence Group (GTIG) published a report on North Korea’s use of fake computer scientists to target European companies. In it, GTIG claimed that at least 12 North Korean figures were actively seeking employment in several European defense and government entities. Thus, North Korean hacker groups, such as Lazarus, which specializes in cyberespionage, could be used to gather intelligence on the rearmament progress of EU and NATO members, including what type of defense equipment they produce, in what quantities, where they are shipped or stationed, and their capabilities.
North Korea’s growing cybercrime alliance with Russian ransomware gangs
Meanwhile, another scenario is that North Korean hackers could sell cybercriminal organizations access to compromised European defense companies and government institutions. The credibility of such a scenario is all the greater when we consider the deepening relations between Pyongyang and Russian cybercriminal organizations. For example, a 2024 report by cybersecurity firm Palo Alto Networks, Unit42 discovered that North Korean cyber actors were collaborating with the Play ransomware gang.
The rationale for such collaboration would likely be twofold. First, it would help Pyongyang generate revenue for the Kim regime and its nuclear weapons program. Such initial access would likely be sold only after North Korean hackers had extracted all the R&D and government information they needed to improve their own defense production capabilities and support their own and their allies’ geopolitical ambitions.
Second, this collaboration between Pyongyang and ransomware would serve to disrupt the European defense complex before it poses a serious threat to North Korea’s sovereignty and geopolitical ambitions. Indeed, North Korea’s cybercriminal partners are very likely to exploit their paid access to launch disruptive and/or destructive cyberattacks, such as ransomware or wiper malware. Such attacks would encrypt the systems of these companies and extort financial compensation from them.
With the average downtime Given that ransomware only lasts 24 days, the long-term impact on the overall resilience of European defense will likely be limited to moderate. However, such short-term disruptions could impact the EU or NATO’s ability to respond sporadically and quickly to sudden threats, such as an invasion, if the cyberattack is timed in concert with a kinetic operation. Nation states, like Russia, have demonstrated experience this type of coordination at the start of the Ukrainian conflict. So it is in this regard that they could coordinate closely with less experienced partners, such as North Korea, to help them gain real-world experience with hybrid warfare tactics.
North Korea’s cyber profile changes complexity of Ukraine conflict
Further, the potential implications of such cyberattacks perpetrated by North Korea could prove not only detrimental to EU and NATO resilience efforts, but also to the countries they support, such as Ukraine. In the case of European defense companies assisting the Ukrainian military, North Korea’s unrestricted access to these digital networks could allow them to transmit critical information, such as supply chain routes or critical vulnerabilities, to Russian forces. This information would then be used to conduct targeted artillery or missile strikes against key weapons deliveries and/or disrupt Ukrainian supply chains. Such a scenario threatens to deal a major blow to kyiv’s defensive posture vis-à-vis Russia, enabling a more unrestrained Russian offensive in the Donbas region and beyond.
Conclusion: It’s time for a holistic approach to North Korea
The findings presented in the ENISA Threat Landscape 2025 report demonstrate that North Korea’s cyber activities are no longer a secondary concern but a central part of its broader geopolitical strategy. North Korea’s potential to infiltrate critical industries and shape the outcome of regional conflicts highlights the urgent need for the EU and NATO to take a more comprehensive approach to cyber resilience, industrial security and supply chain protection.
Indeed, the EU and NATO must refocus their approach towards North Korea to ensure that they no longer treat it as just another rogue nation in a distant region. Rather, it should be seen as a current, not emerging, threat whose influence extends well beyond the Korean peninsula.