North Korean hacking group Kimsuky hit by data breach, internal tools and stolen data leaked

North Korean state-backed hacking group Kimsuky has reportedly been compromised in a rare counterattack by two hackers who say they acted on ethical grounds.

The hackers, identified as “Saber” and “cyb0rg,” claimed responsibility for stealing and publicly releasing 8.9 gigabytes of the group’s internal data. In a statement published in the latest issue of the underground hacking magazine Phrack, distributed at the DEF CON 33 conference, the pair accused Kimsuky of serving political agendas and financial interests for the regime in Pyongyang rather than engaging in independent hacking.

“Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda,” the hackers wrote. “You steal from others and favor your own. You value yourself above the others: You are morally perverted.”

The leaked files, now hosted on the Distributed Denial of Secrets website, contain phishing logs tied to multiple South Korean Defense Counterintelligence Command email accounts and other targeted domains, including spo.go.kr, korea.kr, daum.net, kakao.com, and naver.com. Also included is a compressed archive containing the full source code for South Korea’s Ministry of Foreign Affairs “Kebi” email platform, along with administrator and archive modules.

Other materials in the dump detail curated lists of South Korean university professors, phishing toolkits, live phishing kits, unknown binary files, Cobalt Strike loaders, reverse shells, and proxy modules. Chrome history records point to suspicious GitHub accounts, VPN purchases via Google Pay, and visits to Taiwanese government and military sites. Bash history logs reveal SSH connections to internal systems, and cached files expose malware components.

While security researchers have previously documented parts of Kimsuky’s operations, the hackers’ leak interlinks tools, infrastructure, and campaigns in a way that could provide new intelligence into the group’s activities. The exposure is expected to cause at least short-term operational disruption, though analysts say it is unlikely to dismantle the group entirely.

Kimsuky, also known as Thallium or Velvet Chollima, has been active since at least 2012, primarily targeting South Korean government agencies, think tanks, and defense contractors, as well as entities in the United States, Europe, and Asia.