CSIS describes how North Korea uses third countries including China, Russia and Southeast Asian states to support cyber operations, cryptocurrency theft, sanctions evasion and intelligence collection. The report says DPRK operators route activity through foreign networks and infrastructure, with examples including Chinese hubs near the border, Russian IP ranges, and compromised systems in Cambodia, Thailand and Indonesia used for footholds or staging. It highlights Southeast Asian laundering channels, including casinos, crypto exchanges and Huione-linked services, and cites FinCEN reporting that about $37.6 million in North Korea-linked cryptocurrency was laundered through Huione between 2021 and 2025. The report also covers DPRK IT workers using false identities, VPNs and remote management tools to obtain foreign work, and notes major theft cases such as Bangladesh Bank and Ronin Network as part of the broader third-country playbook.