A 9GB trove of stolen files, allegedly tied to a North Korean operator, surfaced publicly during DEF CON in Las Vegas after two hackers published the material on Phrack, the long-running hacker publication. The files are now available for download via DDoSecrets, which indexed the archive for public access.
According to the leakers, who identify themselves as Saber and cyb0rg, they gained access to a virtual workstation and a virtual private server used by an individual they called “KIM,” whom they believe is linked to the North Korean group Kimsuky. Security experts, however, have questioned attribution, noting that operators can mimic another nation’s methods closely enough to mislead investigators.
The first batch of data included attack logs showing attempts to compromise South Korea’s government and its Defense Counterintelligence Command through a VPS. A second release was more revealing, containing internal documentation, source code, stolen credentials, and command scripts from the operator’s workstation.
Independent analysts such as DDoSecrets reviewed the files and indexed the entire 8.90 GB archive, concluding that the materials appeared authentic and consistent with a real-world espionage toolkit. The leak is being viewed as a technical goldmine for researchers, even as it remains a mystery for intelligence analysts.
Officials note that Phrack has indicated it plans to publish additional download links, which could surface more details and possibly complicate efforts to attribute the operation. This incident fits a long pattern of sensitive data slipping into third-party hands, echoing a 2020 IBM X‑Force finding of roughly 40 gigabytes of video recordings illustrating Iranian cyber-espionage techniques, including steps used to hijack email accounts, exposed after an unsecured cloud misconfiguration.