Room 39 · Central Committee Bureau 39

Who do you know that has actually dealt with Kim Jong Un’s Room 39 unit in real life on a daily basis?

North Korea’s Slush Fund May Already Be on Your Payroll

FBI and Treasury warn that Room 39–linked operatives are inside U.S. tech, fintech, and defense contractors — fake résumés, stolen identities, and laptop farms turning your remote hiring into a sanctions and breach nightmare.

$500M–$1B+ Room 39 revenue / year
14+ FBI wanted DPRK cases
48 hr confidential intake response

Request Confidential Brief See FBI Wanted Posters

No obligation · Mutual NDA available · Fortune 500 & PE-backed firms

Room 39

What Bureau 39 is funding inside Western companies right now

Room 39 Regime slush fund (~$500M–$1B/yr) — front companies, overseas IT payroll, crypto theft & insurance fraud
Lazarus IT worker infiltration, crypto payroll fraud, supply-chain trojans
Kimsuky Spearphishing against policy & research staff; credential harvesting
Andariel Ransomware & extortion against healthcare and critical infrastructure
Insider Remote contractors with forged résumés and synthetic work history

Learn how Room 39 reaches your supply chain → · Sources: CISA, FBI, U.S. Treasury, Wikipedia

Central Committee Bureau 39

The danger of Room 39 to global commerce

Room 39 is not a historical footnote — it is the regime’s primary engine for generating hard currency outside normal trade. That revenue funds weapons programs and sanctions evasion, and it increasingly reaches private companies through front firms, overseas workers, cyber theft, and insurance fraud.

What is Room 39?

Room 39 (officially the Central Committee Bureau 39 of the Workers’ Party of Korea, also called Bureau 39, Division 39, or Office 39) is a secretive party bureau established in 1972 to maintain a foreign-currency slush fund for the country’s leadership. It sits alongside Office 35 (intelligence) and Office 38 (legal financial activity) in the regime’s so-called “Third Floor” apparatus in Pyongyang.

Public reporting and defector testimony describe Room 39 as the linchpin of North Korea’s “court economy” — a parallel financial system that blends state trading companies, covert networks, and criminal enterprises. At times, Office 39 activity has been estimated at 25–50% of North Korean GDP, with annual inflows commonly cited in the $500 million to $1 billion range or higher.

Sources: Wikipedia — Room 39; Millennium Project / WFUNA (2007); defector accounts cited in World Affairs and The Washington Post

$500M–$1B+Estimated annual revenue (public reporting)
~120Front companies linked at peak (reported)
50,000+Overseas workers whose wages feed the system
1972Year Office 39 was created under Kim Jong Il

How Room 39 reaches your business

Western enterprises rarely interact with Room 39 by name. They encounter it through subsidiaries, staffing vendors, insurers, crypto platforms, and remote engineers whose true employer is a DPRK revenue-generation network.

Front companies & supply chains

Room 39 is believed to control or influence dozens of trading entities — names such as Zokwang Trading, Taesong Bank, and Korea Daesong Bank appear repeatedly in sanctions and investigative reporting. Textiles, seafood, coal, ginseng, and minerals are exported with falsified country-of-origin labels; joint ventures in China, Russia, and Southeast Asia move cash by ship, rail, and shell accounts.

KNIC (Korea National Insurance Corp.) ran a global reinsurance fraud scheme; EU sanctions tied it to Office 39
London and Hamburg offices held hundreds of millions in assets before freezes
Kaesong Koryo Insam Trading Corp. assessed by ROK intelligence as a Room 39 front (2020)

Sources: Wikipedia; The Guardian; Korea JoongAng Daily; EU sanctions listings

Overseas IT workers & payroll fraud

The modern extension of Room 39’s mandate is remote revenue: thousands of DPRK IT workers pose as U.S. or European freelancers, funneling salaries to the regime. FBI and Treasury describe laptop farms, stolen identities, and U.S.-based facilitators who host interviews and receive company hardware on operatives’ behalf.

OFAC (2024): networks in Russia, China, and UAE employ DPRK IT workers tied to Office 39 banks
Worker earnings seized by the state; quotas doubled in 2025 per industry reporting
Outsourced staffing removes employers from direct vetting — a major third-party risk

Sources: U.S. Treasury; FBI cyber alert (2025); DTEX / Mandiant reporting

Cybercrime, crypto & ransomware

Lazarus Group and related units operate as a state-sanctioned crime syndicate: ransomware, exchange hacks, and social-engineering of developers. Stolen cryptocurrency and fraud proceeds are laundered through mixers, OTC desks, and front exchanges — ultimately supporting WMD programs. Analysts estimate cyber may fund a large share of missile development.

Wikipedia cites hacking of cryptocurrency platforms among Room 39-linked activity
npm supply-chain trojans, fake job interviews, and bridge exploits against fintech
Revenue targets create internal competition — teams constantly seek new victim sectors

Sources: Wikipedia; Chainalysis; Centre for Governance Innovation (2025)

Commercial exposure: what enterprises should assume

Your exposure	Room 39 connection	Potential impact
Remote engineering or BPO contracts	IT-worker revenue streams documented by FBI and Treasury as funding regime programs	Sanctions violations, source-code theft, ransomware deployment, regulatory enforcement
Insurance, reinsurance, or specialty finance partners	KNIC global fraud scheme; Office 39-linked entities in UK and EU	Counterparty default, asset freezes, reputational damage, AML scrutiny
Crypto, fintech, or treasury operations	Lazarus / APT38 thefts; mixer laundering of DPRK-linked wallets	Direct asset loss, SEC/FinCEN disclosure, customer litigation
Manufacturing, apparel, or commodities sourcing	Mislabeled exports; front traders (Zokwang, Daeheung, Kumgang Group)	Customs seizures, forced-labor findings, supply-chain sanctions liability
Hospitality, restaurants, or overseas DPRK ventures	Pyongyang restaurant chain and hotel earnings managed by Office 39 per reporting	Indirect patronage of sanctioned revenue; franchise and JV due-diligence failures
Defense, research, or policy organizations	Office 35 intelligence overlaps; Kimsuky / Andariel targeting cleared networks	Espionage, export-control breaches, classified spillage via compromised contractors

Illicit activity attributed to Room 39 in open sources includes counterfeiting, narcotics production and trafficking, bogus pharmaceuticals, international insurance fraud, sanctions evasion, and cyber-enabled theft. Enterprises that discover exposure should preserve evidence, notify counsel, and coordinate with FBI Cyber or local financial-crimes units — not attempt to “manage around” sanctions informally.

Further reading: Wikipedia — Room 39 · FBI — DPRK IT worker alert · U.S. Treasury — Office 39 sanctions · Washington Post — KNIC insurance fraud

FBI Most Wanted & alerts

Potential threats

Official FBI cyber and counterintelligence cases tied to DPRK remote IT fraud, cryptocurrency theft, and sanctions evasion. Click any poster for the full advisory.

DPRK IT Workers

Remote IT worker infiltration scheme targeting U.S. companies.

FBI Cyber Most Wanted

DPRK IT Fraud

Jin Sung-Il and Pak Jin-Song — forged identities, payroll laundering.

FBI Cyber Most Wanted

Fraudulent Remote IT Workers from DPRK

Four suspects — virtual currency theft and laundering via remote roles.

FBI Cyber Most Wanted · Up to $5M reward

Sok Kwang Hyok

Revenue generation and laundering for the North Korean regime.

FBI Cyber Most Wanted · Up to $5M reward

Park Jin Hyo

Lazarus Group leadership — cyber heists and intrusions.

FBI Cyber Most Wanted

Han Linlin

Counterintelligence case — DPRK-linked procurement network.

FBI Counterintelligence

Kim Il

Cyber-enabled financial crime supporting DPRK operations.

FBI Cyber Most Wanted

Hyon Chol Song

Sanctions evasion and illicit revenue generation.

FBI Cyber Most Wanted

Jon Chang Hyok

Lazarus Group — WannaCry, Sony Pictures, Bangladesh Bank heists.

FBI Cyber Most Wanted · $5M reward

Cryptocurrency Funds Stolen by DPRK

FBI identifies stolen crypto wallets and laundering paths.

FBI Press Release

Kim Ryu Song

DPRK-linked cyber and financial crime suspect.

FBI Cyber Most Wanted

Threat landscape

What DPRK-aligned actors are doing inside Western enterprises

North Korean state-sponsored activity is not limited to government targets. Public advisories document sustained campaigns against private payroll, fintech, defense industrial base (DIB) subcontractors, and technology companies. dprk.guru translates that intelligence into board-ready risk narratives and operational controls.

Remote IT worker infiltration

Since roughly 2022, DPRK operatives have obtained remote roles at U.S. and European companies using stolen or synthetic identities, U.S.-based laptop farms, and VPN masking. Income is laundered to fund weapons programs. Victims include software firms, crypto exchanges, and media companies.

Duplicate GitHub / LinkedIn personas with AI-generated headshots
Third-party "facilitators" who host interviews and ship hardware
Payroll directed to mule accounts or crypto wallets

Sources: FBI PSA (May 2024), CISA alert AA24-190A

Cryptocurrency & fintech theft

Lazarus Group (APT38) remains among the most prolific cryptocurrency thieves globally. Tactics include social-engineered npm package compromises, fake job interviews delivering malware, and bridge / DeFi protocol exploits yielding nine-figure losses.

Social engineering of wallet keys and signing ceremonies
Supply-chain attacks on JavaScript build pipelines
Cross-chain laundering through mixers and OTC brokers

Sources: UN Panel of Experts reports; Chainalysis, Elliptic analyses

Defense & aerospace supply chain

Kimsuky and related clusters target cleared contractors, think tanks, and university research with credential theft and long-dwell espionage. Andariel has pivoted to ransomware against hospitals and manufacturing — blurring lines between espionage and criminal revenue generation.

Malicious HWP / PDF lures themed on Korea policy
Living-off-the-land after initial OAuth / session theft
Subcontractor email compromise enabling downstream access

Sources: MITRE ATT&CK G0094, G0082; CISA Kimsuky advisory

Case study

Samsung North America & Room 39 threat economics

A defensive research paper modeling how Samsung Electronics America, Austin Semiconductor, and affiliated NA entities can reduce probability-weighted loss from DPRK Bureau 39-linked infiltration, sanctions exposure, and semiconductor IP theft — with advisory spend that pays back 20:1 or more.

$8.4M–$47M Annualized exposure (modeled)

20:1–110:1 ROI on defensive advisory

$1.2M–$2.8M Duplicate vendor-screening savings

Semiconductor tail risk: SAS Austin and Taylor fabs match ransomware and insider profiles cited in CISA Andariel reporting; single trade-secret events carry nine-figure damages precedents in U.S. litigation.
Remote workforce fraud: FBI May 2024 guidance on DPRK IT workers maps directly to large NA engineering and SDS America contractor pools using hybrid hiring.
Sanctions & OFAC: Treasury 2024 actions on Office 39-linked payroll networks raise civil penalty exposure for staffing vendors that lack unified screening.
Supply chain & payments: Lazarus npm and crypto tradecraft affects Samsung Pay, Knox, and mobile services build pipelines — not just trading desks.

Open full research paper (PDF)

12-page defensive advisory · June 2026 · Public-source methodology · Request a Samsung-tailored brief

Get your confidential Room 39 threat brief

If you hire remote engineers, use offshore vendors, or hold crypto treasury — you may already be in Bureau 39’s crosshairs. Tell us your sector and headcount; we respond within two business days.

Engagements typically start at $45,000 for assessments; briefings from $12,000
U.S. and allied-nation enterprises only
Mutual NDA available on request before detailed disclosure

Or email directly: engage@dprk.guru

Full name

Title

Company

Work email

Sector

Primary need

Context (optional)

Send mutual NDA before follow-up call