Plausible Denial
Flag of North Korea (DPRK) Country

North Korea (DPRK)

An intelligence apparatus consolidated around the Reconnaissance General Bureau (RGB) and the Ministry of State Security, with the RGB widely identified by Western governments as responsible for sustained cyber operations and overseas direct-action.

The Democratic People's Republic of Korea's intelligence apparatus is structured around two principal services. The Reconnaissance General Bureau (RGB, Chŏngch'al Ch'ongguk), established in 2009 by consolidation of multiple predecessor agencies, is the principal foreign intelligence and special-operations service, reporting through the Korean People's Army General Staff to the Supreme Leader. The Ministry of State Security (MSS, Kuk-ka Anjŏn Powibu), reorganised in successive periods, is the principal domestic security service, responsible for counter-intelligence, the political-prison-camp system (kwan-li-so), and the surveillance of North Korean citizens at home and abroad.

The DPRK's intelligence services have been the subject of substantial Western government attribution for sustained cyber operations — including the 2014 Sony Pictures intrusion, the 2016 Bangladesh Bank Heist, the 2017 WannaCry ransomware attack, and successive cryptocurrency-targeting operations attributed to RGB-affiliated units (most prominently the Lazarus Group / Advanced Persistent Threat 38) — and for overseas direct-action operations including the 2017 killing of Kim Jong-nam at Kuala Lumpur International Airport. The DPRK Government has consistently denied state attribution of these operations. The pattern of operations has been the subject of successive UN Panel of Experts reports under sanctions monitoring.

Agencies
Video readout available

Reconnaissance General Bureau

RGB

The Democratic People's Republic of Korea's principal foreign intelligence and special-operations service, established in 2009 by consolidation of multiple predecessor agencies and the principal organization to which Western governments attribute substantial DPRK cyber operations.

How to read a country page

This is the institutional landscape of North Korea (DPRK)'s intelligence apparatus as it is documented in the public record. Each card above links through to a full agency profile — the service's founding date, statutory basis, jurisdiction, parent ministry, headquarters, official channels, and a structured account of role, history, and notable operations footnoted to primary sources. The agencies on this page may overlap institutionally (a foreign-intelligence service and a signals-intelligence service often share missions and personnel) and may operate against one another in counter-intelligence terms; the country page does not impose a hierarchy among them, only an inventory.

If a particular operation or scandal is what you are looking for rather than the institutional background, see the Dossiers — long-form pieces that cross agencies and countries. The methodology page documents how operations are categorised as confirmed, alleged, or disputed, and what the public record can and cannot tell us. The Lexicon defines the terms that recur across these pages — HUMINT, SIGINT, covert action, plausible deniability, station, asset, finding.

Coverage here grows as new declassifications expand what can responsibly be said about services that remain partly closed. Some agencies have full reference entries; others are stub entries pending the full treatment. Stubs are kept on the index so navigation between related services is preserved while the detailed text is written.