Rare Breach Exposes North Korean Cyber Operative’s Workstation
August 12, 2025
Two hackers, operating under the aliases Saber and cyb0rg, say they have compromised the computer of a North Korean state-backed hacker — a breach that offers an unusually direct look into one of the country’s covert cyber units.
The intrusion, described in the latest edition of Phrack magazine and unveiled at last week’s Def Con conference in Las Vegas, reportedly targeted a machine belonging to a hacker identified only as “Kim.” The data, according to the pair, was tied to Kimsuky — a cyber-espionage group also known as APT43 and Thallium — and has been released through the leak archive DDoSecrets.
Kimsuky has long been accused of spying on journalists, breaching government agencies in South Korea and beyond, and stealing cryptocurrency to fund Pyongyang’s nuclear program. Unlike typical investigations, which depend on post-incident analysis, this breach allegedly came from direct access to a Kimsuky member’s own systems.
Saber and cyb0rg claim the files reveal cooperation between Kimsuky and Chinese state-affiliated hackers, along with stolen credentials, internal manuals, hacking tools, and evidence of compromises in South Korean government networks. They also said “Kim” maintained strict office hours, logging in around 9 a.m. and out at 5 p.m. local Pyongyang time.
In their statement, the hackers accused Kimsuky of working solely for political and financial gain:
“You steal from others and favour your own. You value yourself above the others: You are morally perverted.”
Emails sent to the contacts listed in the leaked materials have gone unanswered.
|
|
|
Sign Up to
Our Newsletter!
Get the latest news in tech.
|
|
|
