In early 2025, two self-identified hacktivists, known by their online aliases Saber and cyb0rg, infiltrated a computer system that, upon further investigation, was found to belong to a hacker allegedly affiliated with the North Korean government. This discovery led them to uncover a trove of data linking the individual to various cyberespionage activities, including hacking tools, exploits, and infrastructure utilized in these operations.
Saber disclosed to TechCrunch that they maintained access to this system for approximately four months. Recognizing the significance of the information at their disposal, they felt compelled to make their findings public. Their objective was to shed light on the clandestine cyber activities orchestrated by nation-state actors.
These nation-state hackers are hacking for all the wrong reasons, Saber remarked. I hope more of them will get exposed; they deserve to be. This statement was made following the publication of their detailed account in the renowned hacking e-zine, Phrack.
The cybersecurity community has long been vigilant in monitoring the activities of North Korean hacking groups. These groups are notorious for their involvement in espionage, substantial cryptocurrency thefts, and operations where individuals pose as remote IT workers to generate funds for the regime’s nuclear weapons program. However, the approach taken by Saber and cyb0rg was unprecedented. By directly hacking into the hackers’ systems, they provided unique insights into the daily operations and methodologies of these government-backed entities.
Operating under pseudonyms to mitigate potential retaliation, Saber and cyb0rg identify as hacktivists. They draw inspiration from figures like Phineas Fisher, known for exposing spyware manufacturers such as FinFisher and Hacking Team. While they acknowledge the illegality of their actions, they believe that publicizing their findings serves a greater good.
Keeping it for us wouldn’t have been really helpful, Saber explained. By leaking it all to the public, hopefully, we can give researchers some more ways to detect them. He further expressed hope that their disclosure would lead to the identification of current victims, thereby disrupting the operations of North Korean hackers.
Cyb0rg echoed this sentiment, stating, Illegal or not, this action has brought concrete artifacts to the community; this is more important.
Through their investigation, Saber and cyb0rg deduced that the hacker, whom they refer to as Kim, is likely of Chinese origin and may be collaborating with both the North Korean and Chinese governments. This conclusion was drawn from observations such as Kim’s inactivity during Chinese holidays and instances where Korean documents were translated into simplified Chinese using Google Translate.
Saber chose not to engage directly with Kim, expressing skepticism about the potential for meaningful dialogue. I don’t think he would even listen; all he does is empower his leaders, the same leaders who enslave his own people, he stated. He suggested that Kim should use his skills to benefit people rather than harm them but acknowledged the pervasive propaganda that likely influences Kim’s worldview.
The specific methods used by Saber and cyb0rg to access Kim’s computer remain undisclosed, as they intend to employ similar techniques in future operations. During their access, they uncovered evidence of active cyberattacks conducted by Kim against South Korean and Taiwanese companies. They have since alerted these organizations to the breaches.
While North Korean hackers have a history of targeting cybersecurity professionals, Saber remains undeterred. Not much can be done about this, definitely being more careful though, he commented.
This incident underscores the ongoing cyber threats posed by state-sponsored actors and highlights the role of independent hacktivists in exposing such activities. The information revealed by Saber and cyb0rg provides valuable insights into the operations of North Korean cyber units, potentially aiding in the development of more effective defense mechanisms against such threats.
