North Korean hacker's Google search history exposed as sleuths infiltrate top-secret documents

Hackers expose North Korean hacking group's secrets.

Two vigilante hackers have successfully infiltrated a North Korean state-sponsored hacking group and leaked their classified data online.

The breach targeted the notorious Kimsuky group and was detailed in the latest issue of cybersecurity magazine Phrack.

Carried out by hackers identifying themselves as Saber and cyb0rg, the hack includes the personal Google search history of a North Korean operative.

The 9GB data dump also included passwords, stolen data and hacking tools.

“This article is an invitation for threat hunters, reverse engineers and hackers,” the hackers wrote.

“You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda."

Revealing their motivations for targeting Kimsuky, the hackers added: “You steal from others and favour your own. You value yourself above the others: you are morally perverted.”

The 8.9GB trove was released publicly during DEF CON 33 in Las Vegas and is reportedly available for free download on the Distributed Denial of Secrets (DDoSecrets) website.

Analysts believe the leaked documents appear genuine and fit with what you'd expect from real spy operations. While some items were previously known, the new data connects multiple tools and campaigns, providing unprecedented insight into Kimsuky's infrastructure and methods.

The stolen files reveal the tactics and techniques used by Kimsuky, including logs that appear to document attacks on South Korea's military intelligence security agency and Ministry of Foreign Affairs.

According to a report, the Kimsuky hacking group operates like a regular office job, 'always connecting at around 9:00 and disconnecting by 17:00 Pyongyang time.'

Phrack #72 release reveals TTPs, backdoors and targets of a Chinese/North Korean state actor mimicking Kimsuky

A copy of his workstation data was done and is now available for all researchers to analyse!

Article: https://t.co/iCI70eUbuQ
Data dump: https://t.co/vDRLKk8DKD

— Saber (@saber__rt) August 9, 2025

The Kimsuky group has been active since at least 2012 and has conducted numerous attacks on institutions and government agencies worldwide. However, recent analysis shows they've changed focus.

A cybersecurity firm ESET report noted that Kimsuky has shifted away from targeting US and European institutions to concentrate on South Korea.

“In our previous APT Activity Report we noted that Kimsuky was actively targeting, under the guise of interview requests, English-speaking think tanks, NGOs, and North Korea experts,” the report stated.

“These types of campaigns have decreased. Over the past six months, the majority of campaigns attributed to Kimsuky has been targeting South Korean individuals and companies, as well as embassies and diplomatic personnel located in South Korea.”

While most Kimsuky operations involve traditional espionage and data theft, the group has also been linked to cryptocurrency heists.

The stolen digital currency is reportedly used to help pay for North Korea's nuclear weapons program, which makes these hacking attacks a serious threat to global security.