Earlier this year, two hackers broke into a computer and quickly realized the importance of what this machine is. After all, they landed on the computers of hackers who are allegedly working for the North Korean government.
The two hackers decided to continue digging and found evidence that they linked the hackers to the cyberspion operations carried out by North Korea, exploits and hacking tools, and the infrastructure used in their operations.
Saber, one of the hackers involved, told TechCrunch that he could access the computers of North Korean workers for about four months, but as soon as he understood the data he could access, he realized he had to finally leak it and reveal what he discovered.
“These nation-state hackers are hacking for all the wrong reasons, and I hope many of them get exposed.
There are countless cybersecurity companies and researchers who closely track the North Korean government. Many of its hacking groups include not only spying but increasingly larger crypto robberies, but also the broader operations North Koreans bring as remote workers to fund the administration's nuclear weapons programme.
In this case, Saber and Cyb0RG went a step further and actually hacked the hackers. This could give insight into how these government-backed groups work, or at least a different operation, and as Saber said, “what they do every day, etc.”
Hackers hope to be known only by Handle, Saber and Cyb0RG as they could face retaliation from the North Korean government. Saber says they consider themselves a hacktivist, and he nominated the legendary Hacktivist Phineas Fisher, who was in charge of spyware maker Finfisher and hacking the hacking team as inspiration.
TechCrunch Events
San Francisco | October 27-29, 2025
At the same time, the hackers also understood that what they did was illegal, but they still thought it was important to make it public.
“It would have really not been helpful to keep it for us,” Saber said. “We hope that by letting everything go to the public, we can give researchers some ways to detect them.”
“Hopefully this will lead to the discovery of many of their current victims. [the North Korean hackers] Loss of access,” he said.
“The action brought concrete artifacts to the community, whether illegal or not, and this is even more important,” Cyb0RG said in a message sent through Saber.
Saber said he is confident that the hacker, known as “Kim,” works in the North Korean regime, is actually Chinese and may work for both governments based on the findings that Kim did not work during his Chinese holidays, suggesting that the hackers will be based there.
Also, according to Saber, Kim used Google Translation to translate some Korean documents into simplified Chinese.
Saber said he didn't try to contact Kim. “I don't think he even hears. All he does is empower his leaders, the same leaders who enslaved his people,” he said. “Perhaps he will tell him to use his knowledge in a way that helps people, rather than hurting them. But he lives in constant propaganda and is probably meaningless to him from birth,” refers to the harsh information vacuum that North Korea lives in.
Saber refused to disclose how he and Cyb0RG have access to Kim's computer. The two believe that using the same technique can “get access to several systems on other systems in the same way.”
During their surgery, Saber and Cyb0RG discovered evidence of the aggressive hacking Kim had done against companies in Korea and Taiwan.
North Korean hackers have a history of targeting people who also work in the cybersecurity industry. That's why Saber said he was aware of the risk, but he said he “is not really worried.”
“I can't do much about this, definitely take more attention :),” Saber said.