Earlier this year, two hackers broke into a computer and soon realized the significance of what this machine was. As it turned out, they had landed on the computer of a hacker who allegedly works for the North Korean government.
The two hackers decided to keep digging and found evidence that they say linked the hacker to cyberespionage operations carried out by North Korea, exploits and hacking tools, and infrastructure used in those operations.
Saber, one of the hackers involved, told TechCrunch that they had access to the North Korean government worker’s computer for around four months, but as soon as they understood what data they got access to, they realized they eventually had to leak it and expose what they had discovered.
“These nation state hackers are hacking for all the wrong reasons, I hope more of them will get exposed, they deserve to be,” said Saber, who spoke to TechCrunch after he and cyb0rg published an article in the legendary hacking e-zine Phrack, disclosing details of their findings.
There are countless cybersecurity companies and researchers who closely track anything the North Korean government, and its many hacking groups are up to, which includes espionage operation but also increasingly large crypto heists, as well as wide-ranging operations where North Koreans pose as remote IT workers to fund the regime’s nuclear weapons program.
In this case, Saber and cyb0rg went one step further and actually hacked the hackers, an operation that can give more, or at least different, insights into how these government-backed groups work, as well las “what they are doing on a daily basis and so on,” as Saber put it.
The hackers want to be known only by their handles, Saber and cyb0rg, because they may face retaliation from the North Korean government, and possibly others. Saber said that they consider themselves hacktivists, and he namedropped legendary hacktivist Phineas Fisher, responsible for hacking spyware makers FinFisher and Hacking Team, as an inspiration.
Techcrunch event
San Francisco
|
October 27-29, 2025
At the same time, the hackers also understand that what they did is illegal, but they thought it was nonetheless important to publicize it.
“Keeping it for us wouldn’t have been really helpful,” said Saber. “By leaking it all to the public hopefully we can give researchers some more ways to detect them.”
“Hopefully this will also lead to many of their current victims being discovered and so to [the North Korean hackers] losing access,” he said.
“Illegal or not, this action has brought concrete artifacts to the community, this is more important,” said cyb0rg, in a message sent through Saber.
Saber said they are convinced that while the hacker — whom they call “Kim” — works for North Korea’s regime, they may actually be Chinese and work for both governments, based on their findings that Kim did not work during holidays in China, suggesting that the hacker may be based there.
Also, according to Saber, at times Kim translated some Korean documents into simplified Chinese using Google Translate.
Saber said that he never tried to contact Kim. “I don’t think he would even listen, all he does is empower his leaders, the same leaders who enslave his own people,” he said. “I’d probably tell him to use his knowledge in a way that helps people, not hurt them. But he lives in constant propaganda and likely since birth so this is all meaningless to him,” referring to the strict information vacuum that North Koreans live in, as they are largely cut off from the outside world.
Saber declined to disclose how he and cyb0rg got access to Kim’s computer, given that the two believe they can use the same techniques to “obtain more access to some other of their systems the same way.”
During their operation, Saber and cyb0rg found evidence of active hacks carried out by Kim, against South Korean and Taiwanese companies, which they say they contacted and alerted.
North Korean hackers have a history of targeting people who work in the cybersecurity industry as well. That’s why Saber said he is aware of that risk, but “not really worried.”
“Not much can be done about this, definitely being more careful though :),” said Saber.
