Earlier this year, an unexpected breach occurred when two hackers infiltrated a computer, unveiling its crucial role in the world of cybercrime. They discovered it belonged to an individual allegedly affiliated with the North Korean government.
Determined to uncover the truth, these hackers delved deeper, uncovering connections between the individual and extensive cyber espionage activities attributed to North Korea, including various exploits, hacking tools, and operational infrastructure.
Saber, one of the hackers involved, shared with TechCrunch that they had maintained access to the North Korean operative’s computer for approximately four months. Upon realizing the sensitive nature of the data they had uncovered, they felt compelled to leak it, aiming to reveal the hidden workings of these operations.
“Nation-state hackers are engaging in unethical practices. I hope more of them are brought to light; they deserve it,” Saber declared, following a joint article publication with cyb0rg in the esteemed hacking e-zine Phrack, shedding light on their findings.
Numerous cybersecurity firms and researchers keep a vigilant eye on the activities of the North Korean government and its various hacking factions, which are involved in espionage and increasingly audacious crypto thefts and operations that see North Korean agents pose as remote IT professionals to finance the regime’s nuclear ambitions.
In a bold move, Saber and cyb0rg went beyond typical hacking practices, successfully breaching the hackers themselves. This operation provided them with unique insights into the modus operandi of government-backed cybercriminals, shedding light on their day-to-day activities.
Using their handles, Saber and cyb0rg wish to remain anonymous due to potential backlash from the North Korean regime and other entities. Saber identifies as a hacktivist and cites the infamous Phineas Fisher, known for targeting spyware companies FinFisher and Hacking Team, as a significant influence.
Tech and VC Heavyweights Join the Disrupt 2025 Agenda
Join industry leaders from Netflix, ElevenLabs, Wayve, and Sequoia Capital at the Disrupt 2025 event. Gain insights that fuel startup growth and sharpen your competitive edge. Don’t miss the 20th anniversary of TechCrunch Disrupt — secure your ticket now and save over $600 before prices increase!
Tech and VC Heavyweights Join the Disrupt 2025 Agenda
Join industry leaders from Netflix, ElevenLabs, Wayve, and Sequoia Capital at the Disrupt 2025 event. Gain insights that fuel startup growth and sharpen your competitive edge. Don’t miss the 20th anniversary of TechCrunch Disrupt — secure your ticket now and save over $675 before prices increase!
|
October 27-29, 2025
While they recognize the illegal nature of their actions, Saber and cyb0rg believe that publicizing this information is crucial.
“Keeping it to ourselves wouldn’t have been beneficial,” Saber remarked. “By making it public, we hope to provide researchers with additional tools to identify these threats.”
“This may lead to the discovery of many victims and restrict access for North Korean hackers,” he added.
“Illegal or not, this action has produced tangible artifacts for the community; that’s what truly matters,” cyb0rg conveyed in a message relayed through Saber.
Saber speculated that the hacker, referred to as ‘Kim’, may actually be Chinese, suggesting a dual allegiance based on their findings that Kim did not take time off during Chinese holidays, indicating a possible base in China. Additionally, Kim translated some Korean documents into simplified Chinese via Google Translate.
Saber chose not to reach out to Kim directly, stating, “I doubt he would respond; his loyalty lies with empowering leaders who oppress their own citizens. I would advise him to use his skills for good, but he’s likely trapped in a lifetime of propaganda.” This reflects the severe information isolation faced by North Koreans, limiting their exposure to the outside world.
Saber refrained from disclosing how they accessed Kim’s computer, believing they can replicate these techniques to infiltrate additional systems.
Throughout their investigation, Saber and cyb0rg uncovered evidence of ongoing cyberattacks conducted by Kim against South Korean and Taiwanese entities, which they promptly notified.
Historically, North Korean hackers have targeted individuals in the cybersecurity sector. Saber is cognizant of the risks involved but feels “not overly concerned.”
“There’s little that can be done about it, but I’ll definitely be more cautious,” Saber concluded with a smile.
We’re continually striving for improvement, and your feedback on TechCrunch’s coverage and events is invaluable! Take our survey to share your thoughts and enter for a chance to win a prize!
