A rare cyberattack has exposed the secretive operations of North Korea’s espionage group, Kimsuky, after hackers infiltrated a member’s computer. This breach offers a unique glimpse into the digital spying tactics of the reclusive regime.
The hackers, known as Saber and cyb0rg, revealed their findings in the 72nd issue of the underground magazine Phrack, released during the DEF CON 33 conference in Las Vegas in August 2025. They compromised a workstation and virtual private server connected to a North Korean hacker called “Kim,” linked to Kimsuky.
Kimsuky, also known as APT43 and Thallium, is a state-backed cyber espionage group targeting South Korean government bodies, journalists, and other intelligence-related entities. Beyond spying, the group engages in cybercrime like cryptocurrency theft and laundering, funneling funds to support North Korea’s nuclear weapons programme.
The leaked 8.9 gigabytes of data include hacking tools, stolen information, email addresses, operational logs, and even the source code for South Korea’s Ministry of Foreign Affairs email platform. This direct compromise of a group member, rather than post-breach analysis, provides unprecedented insight into their methods. The hackers highlighted how Kimsuky “cooperates openly with Chinese government hackers, sharing tools and techniques.”
“Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfil their political agenda. You steal from others and favour your own. You value yourself above others: You are morally perverted. You hack for all the wrong reasons,” Saber and cyb0rg stated.
The breach also revealed “strict office hours” for Kim, connecting around 09:00 and disconnecting by 17:00 Pyongyang time, reflecting the disciplined nature of state-sponsored hacking.
While the hackers’ actions are illegal, their intent seems to be exposing and shaming Kimsuky’s operatives. Given extensive sanctions on North Korea, prosecution appears unlikely.
This exposure is critical for cybersecurity, offering detailed intelligence to help defend against North Korean hacking strategies. Kimsuky’s operations blend intelligence gathering, disruption, and large-scale illicit revenue generation, with cryptocurrency theft estimated to bring in nearly $1 billion annually.