Cyber Peacebuilding and the Disruption of the Blockchain Ecosystem

Executive Summary 

North Korea has become one of the most persistent state-linked disruptors of the global blockchain ecosystem. Through coordinated cyber operations, including large-scale cryptocurrency theft, exploitation of decentralised finance protocols, laundering through anonymisation services, and the infiltration of Western technology companies (Franceschi-Bicchierai, 2025; Nichols, 2024). Actors linked to the Democratic People’s Republic of Korea (DPRK) generate substantial illicit revenue that finances weapons programmes, circumvents international sanctions, and undermines trust in digital financial systems.

This brief argues that existing policy responses, largely centred on technical cybersecurity measures or financial compliance, are insufficient to address the structural and human dimensions of this threat (Bae, 2025). It proposes Cyber Peacebuilding as a comprehensive framework that integrates technical resilience, inclusive governance, human security, and accountability while preserving the decentralised and privacy-preserving nature of blockchain technologies. In this case, inclusive governance refers to multistakeholder decision-making involving governments, industry, developers, civil society, and users. By addressing systemic vulnerabilities rather than targeting individual users, Cyber Peacebuilding offers a sustainable path to counter hybrid cyber threats without compromising innovation or digital rights (Daniele et al., 2025). 

Strategic Cyber Infiltration and the Systemic Vulnerabilities of Blockchain Ecosystems

The DPRK has strategically embedded cyber operations into its national security and economic survival strategy (U.S. Department of the Treasury, 2023). Blockchain ecosystems have become a primary target due to their rapid growth, fragmented governance, uneven security standards, and global reach. DPRK-linked cyber units have repeatedly targeted decentralised finance platforms, cross-chain bridges, and cryptocurrency exchanges, exploiting weaknesses in smart contracts, governance mechanisms, and operational security (Bae, 2025).

Beyond direct technical exploitation, North Korean actors increasingly rely on infiltrating Western technology and crypto companies (U.S. Department of the Treasury, 2023). By posing as remote developers or IT contractors using falsified identities, these actors gain privileged access to internal systems, source code repositories, and administrative tools (U.S. Department of the Treasury, 2023). This access enables long-term compromise of blockchain infrastructure, manipulation of software supply chains, and theft of sensitive cryptographic assets. The resulting harm extends across borders, affecting individual users, small development teams, financial platforms, and broader digital markets (U.S. Department of Justice, 2025). The problem is therefore not confined to cybercrime or financial fraud, and current governance frameworks are ill-equipped to address this convergence.

Why it matters 

The urgency of this issue is driven by several accelerating structural trends. Decentralised finance refers to financial services built on blockchain-based infrastructures that enable users to transfer, lend, and trade digital assets through automated protocols and smart contracts without relying on traditional financial intermediaries such as banks. As these decentralised financial systems and cross-chain technologies, for example, tools that enable assets and data to move between different blockchain networks, continue to expand, they are evolving faster than governance and security frameworks can adapt (Lederer, 2023). At the same time, the global technology sector has become increasingly reliant on remote and outsourced labour, creating new vulnerabilities to identity fraud and insider threats. North Korea has demonstrated both the capability and intent to exploit these structural conditions (CybersecAsia editors, 2025).

Failure to address these dynamics risks entrenching a global digital environment in which decentralised financial infrastructures become a reliable revenue stream for sanctioned states. The longer such practices persist, the more normalised and difficult to reverse they become. Repeated high-profile breaches also erode public confidence in blockchain innovation, reinforce misinformation narratives surrounding digital finance, and disproportionately affect vulnerable users, including retail investors, underbanked populations, and individuals in economically fragile contexts (Yan et al., 2022). Addressing these vulnerabilities is therefore critical not only for international security and sanctions enforcement, but also for maintaining trust in emerging decentralised financial technologies.

Policy Options

One option is to maintain the status quo, relying on fragmented cybersecurity responses, voluntary auditing practices, and existing financial compliance mechanisms (Bae, 2025). While this approach preserves decentralisation and innovation in the short term, it has consistently failed to prevent large-scale exploitation and offers limited deterrence against state-backed actors.

A second option involves imposing heavy regulatory and surveillance-based controls on blockchain systems, including stringent identity requirements and transaction monitoring (Halaburda, 2025). While such measures may disrupt certain illicit financial flows, they risk undermining decentralisation, eroding privacy, and excluding legitimate users. This approach may also drive activity into less transparent or unregulated spaces, reducing overall effectiveness (Halaburda, 2025).

A third option is to adopt a Cyber Peacebuilding framework. This approach focuses on strengthening systemic resilience, improving governance coordination, and introducing accountability at the infrastructure and institutional level rather than at the level of individual users. Cyber Peacebuilding seeks to preserve the decentralised and privacy-preserving character of blockchain technologies while addressing the structural vulnerabilities exploited by hybrid threats (Daniele et al., 2025). 

Recommended option and implementation plan 

This brief recommends adopting Cyber Peacebuilding as the preferred policy approach. Cyber Peacebuilding is uniquely suited to address the cross-domain nature of North Korea’s blockchain operations by integrating cybersecurity, financial integrity, human security, and international cooperation into a single framework (Daniele et al., 2025). Unlike surveillance-heavy models, it protects user anonymity while reinforcing accountability for developers, platforms, and critical infrastructure.

Implementation should begin with integrating blockchain and decentralised finance into national and regional Cyber Peacebuilding strategies, particularly within EU and UN policy frameworks. Multistakeholder coordination mechanisms should be established to facilitate information sharing among National Computer Emergency Response Teams (CERTs), financial intelligence units, blockchain developers, exchanges, civil society organisations, and investigative journalists. Secure-by-design standards and independent audits should be promoted for high-risk protocols, particularly cross-chain bridges and liquidity pools. Cross-chain bridges let people move their crypto from one blockchain to another, while liquidity pools are shared pots of crypto that enable automated trading without a direct buyer or seller.

Developer identity verification and software supply chain integrity must be strengthened to reduce the risk of infiltration, while remaining proportionate and privacy-preserving (Okta, 2025). Regulatory attention should focus on the operational transparency of high-risk infrastructure such as mixers and bridges, rather than on deanonymising users. Parallel investments should be made in digital financial literacy and community resilience programmes to reduce human vulnerability to fraud and disinformation (Daniele et al., 2025).

Implementation should follow a phased timeline, beginning with coordination and pilot initiatives in the short term, expanding into standardisation and capacity-building over the medium term, and culminating in institutionalised governance mechanisms over the long term. Costs are expected to be moderate and shared across public institutions and private actors, with substantial long-term savings through reduced breach-related losses and systemic instability (Government blockchain policy, n.d.).

Risks and Mitigation 

One risk is that Cyber Peacebuilding measures may be perceived as regulatory overreach by industry actors or decentralisation advocates. This risk can be mitigated through inclusive design processes that engage policymakers, developers, industry, civil society, and user communities in the early stages of policy or technological standard design to ensure solutions are effective, transparent, and widely accepted. Another risk lies in fragmented international cooperation, which could weaken implementation (Ensure Europe, 2025). Leveraging existing EU and UN coordination structures, such as the EU’s Joint Cyber Unit and EU-CyCLONe, as well as UN processes, including the UN Open-Ended Working Group on ICT Security and the Internet Governance Forum, can reduce this risk by embedding Cyber Peacebuilding within established diplomatic and technical frameworks (Tagarev & Sharkov, 2016).

Expected Impact and Evaluation

If implemented effectively, a Cyber Peacebuilding approach is expected to significantly reduce the operational space available to DPRK-linked cyber actors. Blockchain infrastructure would become more resilient to infiltration and exploitation, while users would benefit from greater protection and trust in decentralised financial systems. Importantly, the approach would reinforce the legitimacy of blockchain technologies by demonstrating that decentralisation and security are not mutually exclusive.

Evaluation should focus on measurable reductions in large-scale exploits, improved speed and coordination of cross-border incident responses, increased adoption of secure development standards, and enhanced public awareness of digital financial risks. Continuous monitoring and independent assessment will be essential to ensure accountability and adaptability over time.

Reference list 

• Bae, S. (2025, April 1). Deterrence under pressure: Sustaining U.S.–ROK cyber cooperation against North Korea. Center for Strategic and International Studies. https://www.csis.org/analysis/deterrence-under-pressure-sustaining-us-rok-cyber-cooperation-against-north-korea
• Daniele, F., Pipis, T., Servida, G., Tancredi, L, O., Vernetti L, E.  (2025, December 22). Cyber peacebuilding: A blueprint for sustainable security and democratic resilience. Sustainable Cooperation for Peace & Security. https://sustainablepeace.eu/cyber-peacebuilding-a-blueprint-for-sustainable-security-and-democratic-resilience/
• Ensure Europe. (2025, May 5). Regulating cyberspace: UN consensus‑building in a fragmented digital governance environment. https://www.ensuredeurope.eu/publications/regulating-cyberspace
• Franceschi-Bicchierai, L. (2025, February 24). Researchers accuse North Korea of $1.4 billion Bybit crypto heist. TechCrunch. https://techcrunch.com/2025/02/24/researchers-accuse-north-korea-of-1-4-billion-bybit-crypto-heist/
• Government blockchain policy. (n.d.). Phased implementation & pilot programs. Sustainability Directory. https://sustainability-directory.com/term/government-blockchain-policy/ 
• Lederer E., M. (2023, February 7). UN experts: North Korean hackers stole record virtual assets. Associated Press. https://apnews.com/article/technology-politics-north-korea-government-myanmar-ethiopia-a51edf434a431149a97dc0999af927cb
• Nichols, M. (2024, May 14). North Korea laundered $147.5 mln in stolen crypto in March, say UN experts. Reuters. North Korea laundered $147.5 mln in stolen crypto in March, say UN experts
• Okta. (2025). North Korea’s IT workers expand beyond U.S. big tech. Okta Threat Intelligence. https://www.okta.com/en-nl/newsroom/articles/north-korea-s-it-workers-expand-beyond-us-big-tech/
• Tagarev, T., & Sharkov, G. (2016). Multi‑stakeholder approach to cybersecurity and resilience. Information & Security: An International Journal. https://doi.org/10.11610/isij.3404 
• U.S. Department of the Treasury. (2023, May 23). Treasury targets DPRK malicious cyber and illicit IT worker activities. https://home.treasury.gov/news/press-releases/jy1498
• U.S. Department of Justice. (2025, June 30). Justice Department announces coordinated, nationwide actions to combat North Korean remote information technology workers’ illicit revenue generation schemes. https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote
• Yan, C., Zhang, C., Lu, Z., Wang, Z., Liu, Y., & Liu, B. (2022). Blockchain abnormal behavior awareness methods: A survey. Cybersecurity, 5(1), Article 5. https://doi.org/10.1186/s42400-021-00107-4  

Photo by Andrea De Santis on Unsplash.