Hackers have infiltrated the computer of a North Korean government spy, stealing and leaking 8.9 GB of secret files, including emails, passwords, and documents exposing links to Chinese hackers. The unprecedented breach lays bare sensitive details of North Korea’s cyber operations.
The hackers, known as Saber and cyb0rg, detailed the break-in in the latest issue of Phrack magazine, distributed at the DEF CON conference in Las Vegas. Their report outlines the theft of data from a member of Kimsuky, a state-sponsored espionage group, revealing stolen tools, internal manuals, and classified information.
A state spy exposed
The target was no ordinary spy, but a working operative inside Kimsuky, a North Korean advanced persistent threat (APT) unit the hackers called “Kim.” On his computer, Saber and cyb0rg say they found the instruments of state espionage: malicious software, network infiltration tools, and code designed to pierce secure systems.
Mixed among the digital weaponry were traces of the man behind the screen, from browsing histories to files transferred between his Windows and Linux machines. He regularly visited popular hacking forums, followed open-source coding projects, and paid for multiple VPN services to mask his online activity. Records also showed he had remotely logged into other computers on his network.
Even his careful operational security could not keep the trove from being revealed in Phrack.
South Korea targeted
The files taken from Kim’s computer contained logs of active phishing campaigns against South Korea’s Defense Counterintelligence Command and other government agencies. Some of the attacks had taken place just three days before the breach.
The logs listed targeted email addresses, server details, and tools used to trick victims into handing over credentials. According to the hackers, the campaigns redirected targets through convincing fake websites before bouncing them to real government portals, making the theft harder to detect.
Also among the recovered data was the complete source code for Kebi, the South Korean Ministry of Foreign Affairs’ official email platform. The archive included every major component of the system, from the core code to its web, mobile, and administrative interfaces.
Timestamps suggest the material was taken very recently. As a critical channel for South Korea’s diplomatic communications, Kebi’s exposure could compromise sensitive government correspondence and internal operations.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Was China in on it?
Clues buried in the breached data point east. The operative’s browsing history included Chinese-language hacking sites and forums, along with visits to Taiwanese government and military pages viewed through online translation tools. He also used Google Translate to turn technical error messages into Chinese.
The patterns raise the possibility of operational overlap between Chinese and North Korean hackers. But without independent confirmation, it remains unclear whether this shows active cooperation, shared resources, or simply one operative drawing on widely available Chinese-language tools.
While any role by Chinese counterparts remains uncertain, Pyongyang’s hackers have been far from idle. Recent months have brought campaigns ranging from cryptocurrency theft attempts to custom malware aimed at high-value tech targets.
Read our coverage of a laptop farm scam in which North Korean operatives used stolen identities and remote-controlled tech to infiltrate American companies and steal corporate data.