Two hackers say they stole internal files from the North Korean state-linked APT known as Kimsuky and publicly dumped roughly 8.9GB of data. The pair, using the handles Saber and cyb0rg, published an address in Phrack and released a portion of what they say is Kimsuky’s backend. The material was posted to the Distributed Denial of Secrets archive.
Who Claims Responsibility and Why They Published the Kimsuky Data
The two leakers framed their actions as ethical. In a message published in Phrack at DEF CON 33 they wrote:
“Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda.”
They said they oppose Kimsuky’s motives and released the files to expose the group’s tooling and stolen data.
What the Leaked Archive Contains (High-Value Items and Indicators)
The dump reportedly includes code, phishing assets, logs and payloads. Key items described by the leakers include:
- Phishing logs showing multiple dcc.mil.kr (Defense Counterintelligence Command) email accounts.
- Target lists and domains including spo.go.kr, korea.kr, daum.net, kakao.com, and naver.com.
- A
.7zarchive said to contain the complete source code for South Korea’s Ministry of Foreign Affairs webmail platform (“Kebi”), including webmail, admin and archive modules. - References to South Korean citizen certificates and curated lists of university professors.
- A PHP “Generator” toolkit used to build phishing sites with detection-evasion and redirection tricks, plus live phishing kits.
- Binary archives and executables (for example,
voS9AyMZ.tar.gz,Black.x64.tar.gz,payload.bin) not flagged by VirusTotal. - Cobalt Strike loaders, reverse shells and Onnara proxy modules recovered from VMware drag-and-drop cache.
- Chrome histories and config files linking to suspicious GitHub accounts, VPN purchases via Google Pay, and frequent visits to hacking forums.
- Evidence of Google Translate use for Chinese error messages, and visits to Taiwan government and military sites.
- Bash history showing SSH connections to internal systems.
The leakers note some items mirror previously reported material. They say the dump adds new links between tools, infrastructure and past campaigns.
Security reporters reached out to researchers to verify the files. Analysts are reviewing the material to confirm authenticity and value. Public reporting so far says the dump may expose previously unknown campaigns and undocumented compromises.
While the leak may not end Kimsuky’s operations, it could disrupt active infrastructure and force the group to change tools and tradecraft. The files could also give defenders new indicators for detection.
Publication Details
The extract was distributed in the latest Phrack issue and made available via the Distributed Denial of Secrets archive. The Phrack issue appeared in limited physical copies at DEF CON 33 and an online version is expected to follow.
