“What we see is internet use by the very privileged, the 0.1%, the North Korean military leadership and their families, who are actually given access to the internet,” says Priscilla Moriuchi, an analyst with Recorded Future who focused on China and North Korea during 13 years at the National Security Agency. “We wouldn’t be able to do this type of analysis if they didn’t have such restrictive parameters around the internet.”

Recorded Future, an intelligence firm launched in 2009 with the backing of Google and In-Q-Tel, the CIA’s venture capital arm, has grown to 650 customers and 475 employees and has just signed a $50 million threat intelligence deal with the US Cyber Command.

Moriuchi joined the firm three years ago. From a leadership position at NSA’s headquarters in Fort Meade, Maryland, she is now the head of its nation-state research and the chief strategist for Insikt Group, the team of intelligence analysts that recently finished the unprecedented study of North Korean internet use over the last three years. The analysis found that it’s risen 300%.

In addition to mining and using cryptocurrency to skirt sanctions and fund the regime, North Korea also makes money by hacking cryptocurrency exchanges. For a country that faces unique and even existential challenges, there is no real distinction between criminal hacking and government-backed espionage.

“North Korea is the most bizarre and fascinating country,” says Moriuchi. “The scope of operations is so far outside what other states do. What they do is just so risky, but they literally have nothing to lose, right?”

By effectively sorting through and understanding the mass of network traffic the firm buys from third-party sources to watch much of what happens inside the ultra-secretive dictatorship, Moriuchi’s team put together a vast picture of how the Kim regime is operating online.

There are only three primary ways North Korea connects to the global internet: first, through the allocated .kp IP range; second, through a connection to neighboring China’s telecommunications giant Unicom; and finally, through an increasingly important connection via a Russian satellite company that ultimately resolves to SatGate in Lebanon.

But a number of North Koreans live and hack abroad in countries like China. This gives them better access to the internet as they take the opportunity to blend in, while affording plausible deniability for the regime.

“They’re outside usual boundaries technologically and geographically,” Moriuchi says. “First and foremost, North Korea sends a lot of their cyber operators overseas, which is insane if you’ve ever been an operator. It sounds like a given at this point, but these are super highly trained people that the regime has invested lots of money, time, and trust in. The US would not do that. We would not send our best operators to some random country to hack from that country.”

Internet-based revenue comes from three main sources, the report details: hacking-enabled bank theft, hacking and mining of cryptocurrencies, and financial cybercrime. The United Nations estimates that North Korean operators have stolen over $2 billion over the last four years, a relatively enormous percentage of the country’s estimated $28 billion gross domestic product.

“The revenue generation is state directed and state mandated,” Moriuchi says, “These people have to earn a specific amount of money per year in order to support themselves and stay overseas, and so their families aren’t endangered at home. It’s a criminal state up-and-down exploiting the openness of the internet to earn money. It is absolutely insane.”