North Korea: No Internet for 25M Citizens, $3B Crypto Theft for the State

Here is something that will break your brain for a moment.

North Korea has 25 million people. Of those 25 million, almost nobody has access to the internet you are reading this on right now. Not a slow version. Not a censored version. Not available in certain neighbourhoods only. Essentially unavailable — by government design — to the entire population of a nation the size of Australia's New South Wales.

And the same government that banned its citizens from the internet has built one of the most sophisticated cyber-attack units in the world. North Korea's state hackers have stolen over $3 billion in cryptocurrency. They brought down hospitals across the UK. They bankrupted a Hollywood studio. They emptied $81 million from a central bank via the international banking system.

A country with no internet for its people is also one of the most dangerous forces on the internet. That is the actual story of North Korea and technology.

What 25 Million People Actually Have: Kwangmyong

To understand North Korea's technology situation, the first thing to throw away is the idea that the country is simply "offline." It is not offline. It has a national digital network. It just has nothing to do with the internet.

The network is called Kwangmyong (광명), which translates to "bright" or "brilliant" in Korean. Kwangmyong is a domestic intranet — a completely separate network with no connection to the global internet whatsoever. Think of it as a very large local area network covering an entire country.

On Kwangmyong, citizens can access:

• The official Rodong Sinmun newspaper (the Korean Workers' Party's publication)
• State-curated encyclopaedias and educational content
• Approved academic research databases
• Government public service information
• Propaganda content about Kim Jong-un, the party, and North Korean history
• Some approved entertainment

What they cannot access on Kwangmyong: anything from outside North Korea. No foreign news. No Wikipedia (which has detailed articles about North Korean human rights abuses, for instance). No social media. No YouTube. No foreign academic papers unless specifically approved and uploaded by the state.

Access to Kwangmyong itself is not universal. Universities, libraries, some schools, and government buildings have access points. Home access exists but is limited to elite households. Most ordinary North Koreans encounter Kwangmyong occasionally at a library or study hall, not daily at home.

The Phone That Can Only Call Other Phones in North Korea

Mobile phones exist in North Korea. This surprises most people.

The national mobile network is called Koryolink, operated jointly by the North Korean government and Egypt's Orascom Telecom, which invested in building the infrastructure. As of recent estimates, approximately 6 million North Koreans have a Koryolink subscription — roughly 24% of the population.

But here is what a Koryolink phone cannot do:

• Call anyone outside North Korea
• Send a text message internationally
• Access the internet of any kind, including Kwangmyong
• Receive calls from abroad

Koryolink is a voice and domestic SMS network. That is all. You can call another Koryolink subscriber. You can text another Koryolink subscriber. Everything else is blocked at the network level.

There are no smartphones in the conventional sense for ordinary citizens. North Korea manufactures its own branded devices — the Arirang and Pyongyang phones — which are Android-based internally but stripped of Google Play, international app stores, and any internet capability. They run a curated selection of approved apps, connect to Kwangmyong via Wi-Fi in specific locations, and function essentially as feature phones with a touchscreen.

How the Country Actually Communicates

If Koryolink cannot reach outside and Kwangmyong is not the internet, how does a 25-million-person country function day-to-day?

Fax machines: Genuinely, in 2026, the North Korean government and many official institutions communicate via fax. This is not an exaggeration or a stereotype. Fax remains a core communication channel for official documents, orders, and reports moving between government ministries, provincial administrations, and military units.

Fixed radios with locked frequencies: Many North Korean homes are issued radios with frequencies fixed by the government. Citizens cannot tune to a different frequency. The radio plays state broadcasts — news, music, announcements — on a schedule. This is how the majority of ordinary North Koreans receive information about the outside world: through a filter designed specifically to show them what the state wants them to know.

Loudspeaker systems: Public spaces, workplaces, and residential areas have loudspeaker systems that broadcast state announcements, propaganda music, and official news. Early morning broadcasts are a standard feature of daily life in North Korean cities and villages.

Paper and in-person communication: Most record-keeping at the local level is paper-based. Births, marriages, work assignments, rations — all documented and filed on paper. Local party officials are the node in the information network at the neighbourhood level.

The postal system: North Korea has a functioning postal system for domestic mail. International mail exists but is rare and heavily monitored.

This is the infrastructure that runs a country of 25 million people. It is the administrative equivalent of 1970s-era bureaucracy, operating in 2026 by deliberate political choice rather than technological limitation. North Korea has the money and the engineering knowledge to build more advanced infrastructure. It has chosen not to.

The One Wire to the World

Here is the fact that is hardest to believe: North Korea has a single internet connection to the global internet.

One fibre optic link, running through China, connecting to the network infrastructure of China Unicom. That is the entire North Korean presence on the global internet.

The technical evidence for this is visible in publicly available internet routing data. North Korea has two registered autonomous system numbers — AS131279 and AS17974 — which appear in the global BGP (Border Gateway Protocol) routing tables that govern how internet traffic moves worldwide. The traffic volume through these ASes is minimal. The routing path goes through China every time.

This single cable carries approximately zero traffic from ordinary North Korean citizens, because ordinary North Korean citizens have no access to it. What it carries is the internet usage of North Korea's tiny elite — senior party officials, Kim Jong-un's immediate circle, some researchers, foreign embassy staff, joint venture company employees, and, most significantly, North Korea's cyber warfare units.

In 2014, following the Sony Pictures hack, the United States reportedly took action against North Korean internet infrastructure. For approximately 11 hours, North Korea's entire internet presence went offline. The reason this was possible: there is one cable. One gateway. Disrupting it disrupts everything.

The Hackers Who Get the Real Internet

This is where the story becomes extraordinary.

While 25 million citizens access a controlled domestic intranet and make phone calls that cannot leave the country, a carefully selected group of North Koreans have full, unrestricted access to the global internet. These are the country's state-sponsored hackers — the people doing the work that has made North Korea one of the most feared cyber actors on the planet.

The primary unit is known internationally as the Lazarus Group (also tracked by cybersecurity firms as APT38, Hidden Cobra, and Guardians of Peace depending on the specific sub-unit). US, UK, South Korean, and UN investigations have attributed the group to North Korea's Reconnaissance General Bureau — the intelligence directorate.

Lazarus Group hackers operate with resources and freedom that most North Korean citizens cannot imagine. They work from offices in Pyongyang. They operate from deployed positions in China, Southeast Asia (Cambodia, Malaysia, Laos have all seen Lazarus Group members), and occasionally Europe. They use the full global internet: they have accounts on GitHub, they exploit AWS and Azure cloud infrastructure, they communicate through encrypted channels, they monitor cryptocurrency markets in real time.

They do this because their work generates revenue that the North Korean state needs. Not supplemental revenue. Essential revenue. Under multiple rounds of UN sanctions, North Korea's ability to earn foreign currency through legitimate trade has been severely curtailed. The cyber theft programme fills that gap.

$3 Billion in Crypto: The Lazarus Group's Greatest Hits

The UN Panel of Experts investigating North Korea sanctions violations estimated that between 2017 and 2023, the Lazarus Group and affiliated units stole approximately $3 billion in cryptocurrency. The actual figure by 2026 is likely significantly higher.

The major attacks attributed to North Korea:

WannaCry, May 2017: A ransomware attack that infected more than 200,000 computers across 150 countries in 72 hours. The UK's National Health Service was hit so severely that hospitals cancelled operations and redirected ambulances. FedEx, Deutsche Bahn, Telefónica, and dozens of other large organisations were affected. Damage estimates range from hundreds of millions to billions of dollars. The US, UK, and Australia formally attributed WannaCry to North Korea in 2017.

Bangladesh Bank heist, 2016: Lazarus Group operatives used fraudulent SWIFT (the international banking messaging network) messages to instruct the New York Federal Reserve to transfer $951 million from Bangladesh Bank's account. $81 million was successfully transferred to accounts in the Philippines before the fraud was detected. The remaining transfers were blocked. The $81 million was partially laundered through Filipino casinos and largely unrecovered.

Sony Pictures hack, 2014: Lazarus Group (then calling themselves "Guardians of Peace") breached Sony Pictures, leaked unreleased films, published executive emails, and destroyed approximately 3,000 computers. The attack was retaliation for the Seth Rogen film "The Interview," which depicted the assassination of Kim Jong-un. North Korea denied responsibility. The FBI formally attributed the attack to North Korea.

Cryptocurrency exchange hacks, 2018-2024: The Lazarus Group targeted cryptocurrency exchanges across South Korea, Japan, and globally. Specific targets included Bithumb (South Korea, multiple attacks), Coincheck (Japan, $530 million in NEM tokens stolen in 2018 from a connected but separate group with Lazarus links), and dozens of smaller exchanges and DeFi protocols. In 2024, the group was attributed with an attack on Bybit resulting in approximately $1.5 billion in losses — potentially the largest single crypto theft ever recorded.

Ronin Network / Axie Infinity, 2022: $620 million stolen from the Ronin Network bridge that connected the Axie Infinity gaming blockchain to Ethereum. The FBI attributed this to Lazarus Group within weeks.

The USB Drive Underground

Back on the ground in North Korea, a parallel information system operates entirely outside state infrastructure.

USB drives and SD cards loaded with South Korean dramas, foreign films, K-pop music, and outside news circulate through networks of traders and citizens who acquire smuggled content, copy it, and pass it on. The device most commonly used to play this content is called a Notel — a portable media player that accepts USB drives and plays video content on a small screen or through a TV. Notels are not officially approved but are widely tolerated in some regions.

This USB underground is the primary way millions of North Koreans have encountered the outside world — not through the internet, but through physical media passed hand to hand. Getting caught with content depicting South Korean or American life carries serious penalties. Getting caught with outside news is treated as a political crime.

Near the Chinese border, a small number of North Koreans use a different method: smuggled Chinese SIM cards, used in phones that can receive Chinese mobile signals close to the border, to make calls to family members who have defected to South Korea or China. These calls are brief, conducted in improvised code, and require knowing which spot on the hillside has line-of-sight to a Chinese tower. The consequences of being caught range from re-education to imprisonment.

Our Analysis: Technology as Control, Not Tool

Most of the world uses technology to reduce the cost of information. The internet made it cheaper to find, share, and distribute knowledge. Authoritarian governments that use the internet — China, Russia, Iran — generally accept some information flow in exchange for the economic benefits of connectivity, then apply censorship and surveillance to manage the political risks.

North Korea made a different calculation entirely. The Kim regime's stability depends on total information control. Citizens who cannot compare their lives to life elsewhere cannot calibrate their dissatisfaction against an alternative. Citizens who cannot communicate with the outside world cannot organise with or be influenced by it. The absence of the internet is not a failure of development. It is infrastructure for dictatorship.

The cyber theft programme exists within this framework but inverts it. The same information isolation that keeps citizens from questioning the regime enables the state to deploy hackers who operate in the outside world with minimal risk of exposure to the ideas that outside world contains. Hackers are selected, trained, and carefully managed. They have internet access because the regime profits from their skills. Their access is a privilege tied to productivity, not a right.

The $3 billion (and counting) that Lazarus Group has stolen represents approximately one to two years of North Korea's estimated hard currency earnings from all sources combined. Cyber theft is not a supplemental activity. It is a core economic pillar of a sanctioned state running without the internet its criminals exploit so effectively.

Key Takeaways

• 25 million North Koreans have no access to the global internet — Kwangmyong (the domestic intranet) carries state-approved content only: news, encyclopaedias, propaganda, no foreign connection
• Koryolink mobile network has ~6 million subscribers but can only call other Koryolink numbers inside North Korea — no international calls, no internet, no smartphones in the conventional sense
• North Korea has one internet gateway: a single fibre connection through China Unicom; both registered ASes (AS131279, AS17974) route exclusively through China — in 2014, taking this one link offline shut North Korean internet for 11 hours
• Lazarus Group (also APT38, Hidden Cobra) is the state's primary cyber unit under the Reconnaissance General Bureau — hackers are selected, trained, given full internet access, and deployed to generate foreign currency
• $3 billion+ in cryptocurrency stolen by Lazarus Group between 2017-2023 per UN estimates: WannaCry (2017), Bangladesh Bank SWIFT hack ($81M, 2016), Ronin Network ($620M, 2022), Bybit (~$1.5B, 2024) — cyber theft is a core revenue pillar for a sanctions-constrained state
• The USB underground is how most ordinary North Koreans encounter outside information: smuggled drives with South Korean dramas and foreign news, played on "Notel" devices, passed hand to hand — getting caught is a political crime
• Technology as control infrastructure: the internet ban is not a development failure — it is deliberate design for information isolation; North Korea chose to restrict connectivity because the Kim regime's stability requires that citizens cannot compare their lives to alternatives

Sources

• UN Panel of Experts — North Korea sanctions report: $3B crypto theft, 2023
• FBI — WannaCry attribution to North Korea, 2017
• US DoJ — Lazarus Group indictment, 2021
• DW — North Korea's Kwangmyong domestic intranet explained
• 38 North — North Korea's telecommunications infrastructure
• Chainalysis — Crypto crime and North Korea Lazarus Group
• CSIS — North Korea cyber threat overview
• Reuters — Bybit $1.5B hack attributed to Lazarus Group, 2024