A significant cybersecurity incident has emerged where two hackers released 9GB of stolen data from what they claim is a North Korean state-backed hacker’s computer, providing an unprecedented look into the operations of an advanced persistent threat actor.
The Leak Details
The data breach was orchestrated by two individuals operating under the names Saber and cyb0rg, who gained access to a virtual workstation and virtual private server used by someone they refer to as “KIM”. The hackers released this information during a major hacking conference in Las Vegas on August 11, 2025.
The leaked archive totals 8.90 GB and contains extensive operational materials from the compromised system.
What Was Exposed
The stolen data reveals extensive operational details including:
- Attack logs showing attempts to compromise South Korea’s government and Defense Counterintelligence Command
- Internal documentation and source code
- Stolen credentials and command scripts from the operator’s workstation
- Operational tools consistent with a real-world espionage toolkit
Independent analysts who reviewed the materials found them to be authentic and consistent with genuine cyber-espionage operations.
Attribution Questions
While the leakers believe “KIM” is connected to Kimsuky, a group long associated with North Korean state-backed cyber activities, the attribution remains uncertain. Some security experts suggest the operator could just as likely be based in China, highlighting the challenges of accurately identifying threat actors.
This uncertainty stems from the fact that skilled hackers often leave misleading trails pointing to wrong countries, and advanced operators can mimic other nations’ methods closely enough to confuse investigators.
