Kimsuky is a North Korean state-sponsored Advanced Persistent Threat (APT) group that conducts cyber operations for political and financial purposes.

Who breached Kimsuky and why?

The hackers cited ethical motivations for their actions, directly challenging Kimsuky's state-sponsored activities. They published a manifesto in Phrack Magazine #72 at DEF CON 33, stating that Kimsuky was 'hacking for all the wrong reasons' and was driven by political agendas rather than practicing independent hacking artistry.

Where was the leaked Kimsuky data published?

The leaked information was hosted on the Distributed Denial of Secrets (DDoSecrets) platform, with the hackers' manifesto published in Phrack Magazine #72 and distributed at the DEF CON 33 conference in Las Vegas.

What sensitive data was included in the Kimsuky leak?

The leak contained phishing logs targeting South Korean Defense Counterintelligence Command, attack logs against South Korean government domains, complete source code for South Korea's Ministry of Foreign Affairs email platform, PHP phishing toolkits, Cobalt Strike loaders, PowerShell reverse shells, Android Toybox variants, Ivanti RootRot exploit backdoor code, browser history with nearly 20,000 entries, and various operational manuals and credentials.

What targets were identified in the leaked Kimsuky data?

The leaked data revealed targeting of South Korean Defense Counterintelligence Command email accounts, multiple South Korean government domains including spo.go.kr, korea.kr, daum.net, kakao.com, and naver.com, as well as references to South Korean citizen certificates and curated lists of university professors.

Incident

North Korean hacker group Kimsuky allegedly breached, data leaked

Q: Are there questions about the compromised operator's true identity?

Yes, cybersecurity experts have raised questions about whether the compromised operator may actually be Chinese instead of North Korean. Evidence includes reconnaissance activities against Taiwanese targets, frequent visits to Chinese hacking forums, and use of Google Translate for converting error messages to Chinese, suggesting the individual may represent a Chinese APT group mimicking Kimsuky's tactics.

Q: What impact will this breach have on Kimsuky's operations?

While the breach is unlikely to permanently disable Kimsuky's operations, cybersecurity experts expect it will cause significant disruption to ongoing campaigns. The leak effectively 'burns' a substantial portion of the APT's established infrastructure and methodologies, forcing the group to rebuild tools and adapt procedures.

published: Aug. 12, 2025

Learn More

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky has reportedly been breached by hackers who leaked approximately 8.9 gigabytes of sensitive operational data.

The hackers cited ethical motivations for their actions, directly challenging Kimsuky's state-sponsored activities. In their manifesto published in Phrack Magazine #72, distributed at the DEF CON 33 conference in Las Vegas, the duo stated that Kimsuky was "hacking for all the wrong reasons" and accused the group of being driven by political agendas rather than practicing independent hacking artistry.

"Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda," the hackers declared. "You steal from others and favour your own. You value yourself above the others: You are morally perverted."

The attackers breached the virtual workstation and a virtual private server (VPS) used by an operator they referred to as "KIM," whom they believed to be associated with the Kimsuky group.

The leaked information, hosted on the Distributed Denial of Secrets (DDoSecrets) platform, contains:

Phishing logs targeting South Korean Defense Counterintelligence Command (dcc.mil.kr) email accounts
Attack logs against multiple South Korean government domains (spo.go.kr, korea.kr, daum.net, kakao.com, naver.com)
Complete source code for South Korea's Ministry of Foreign Affairs email platform ("Kebi"), including webmail, admin, and archive modules
PHP "Generator" toolkit for creating sophisticated phishing websites with detection evasion capabilities
References to South Korean citizen certificates and curated lists of university professors
Cobalt Strike loaders and reverse shells written in PowerShell
TomCat remote kernel backdoor components
Android Toybox variants and other custom malware tools
Ivanti RootRot exploit backdoor client code
VMware drag-and-drop cache files containing malicious payloads
Browser history containing nearly 20,000 entries revealing targeting patterns
Google Chrome configuration files linking to suspicious GitHub accounts and VPN service purchases
Internal documentation and operational manuals for various backdoors
Credentials and command scripts from the operator's workstation

The attack technique is not disclosed.

Cybersecurity experts have raised questions about the true identity of the compromised operator. Some are suggesting the individual may actually be Chinese instead of North Korean, potentially representing a Chinese APT group that mimics Kimsuky's tactics to confuse threat hunters. The data contains evidence of the operator's reconnaissance activities against Taiwanese targets, frequent visits to Chinese hacking forums (freebuf.com, xaker.ru), and use of Google Translate for converting error messages to Chinese.

The breach is unlikely to permanently disable Kimsuky's operations, but cybersecurity experts expect it will cause significant disruption to ongoing campaigns. The leak effectively "burns" a substantial portion of the APT's established infrastructure and methodologies, forcing the group to rebuild tools and adapt procedures.

North Korean hacker group Kimsuky allegedly breached, data leaked