Hackers Leak 9GB of Data from Alleged North Korean Hacker’s Computer

Hackers release 9GB of stolen files from the computer of an alleged North Korean hacker, revealing tools, logs, sensitive data and much more. The data is now available for download via DDoSecrets.

It is not often that the inner workings of a cyber-espionage operator are exposed, but that is exactly what happened when two hackers decided to publish a trove of stolen files during one of the world’s biggest hacking conferences.

The material did not surface on a cybercrime forum or through a misconfigured database. Instead, it was shared through Phrack, the legendary hacker publication, during its 40th anniversary issue at DEF CON in Las Vegas.

The people behind the leak, who go by the names Saber and cyb0rg, say they gained access to a virtual workstation and a virtual private server used by someone they call “KIM.” This individual was believed by the leakers to be linked to Kimsuky, a group long associated with North Korean state-backed cyber activity. Yet even with that claim, questions remain, and some security experts think it is just as possible that the operator could be based in China.

What they took and later shared offers a rare look into the operational tools and records of an advanced threat actor. The first batch of data included attack logs showing attempts to compromise South Korea’s government and its Defense Counterintelligence Command through the VPS. The second release was even more revealing, containing internal documentation, source code, stolen credentials, and command scripts from the operator’s workstation.

Independent analysts like Distributed Denial of Secrets (DDoSecrets), who reviewed the files and indexed the entire 8.90 GB archive on its website for free download, found that the materials appeared authentic and consistent with a real-world espionage toolkit.

Screenshot of the archive available on DDoSecrets (Image credit: Hackread.com)

However, figuring out who actually ran these systems can still be difficult. Hackers sometimes leave trails that point to the wrong country, and skilled operators can mimic another nation’s methods closely enough to mislead investigators.

For now, the leak sits as both a technical goldmine for researchers and a mystery for intelligence analysts. Phrack has said it plans to release additional download links on its site, which means more details could surface.

Nevertheless, this is not the first time that such sensitive data has gotten into the hands of a third party. Back in 2020, IBM’s X‑Force team stumbled across over 40 gigabytes of video recordings showing Iranian cyber‑espionage operators teaching others how to hijack email accounts.

The footage, which included real-time steps, like linking Gmail accounts to Zimbra software to download inboxes, was exposed by mistake when the hackers uploaded it to an unsecured cloud server.