Kimsuky Data Breach Reveals South Korean Government Targets

North Korean state-sponsored hacking group Kimsuky has reportedly suffered a major data breach.

Two hackers calling themselves ‘Saber’ and ‘cyb0rg’ stole and publicly leaked Kimsuky’s internal data, criticizing the group for their political motives and greed, as first reported by BleepingComputer (BC).

“Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda,” the hackers wrote in a message published in the latest issue of Phrack, as noted by BC.

“You steal from others and favour your own. You value yourself above the others: You are morally perverted,” the message reads.

The leaked data, totaling 8.9GB and hosted on the Distributed Denial of Secrets website, exposes Kimsuky’s tools and some stolen information that could reveal unknown hacking campaigns.

BC reports that among the data are phishing logs targeting South Korean government domains like dcc.mil.kr (Defense Counterintelligence Command), spo.go.kr, and korea.kr, as well as popular platforms such as daum.net, kakao.com, and naver.com.

The leak also includes the full source code of South Korea’s Ministry of Foreign Affairs email system, “Kebi,” along with lists of university professors and citizen certificates, as noted by BC.

Tools uncovered include phishing site generators with evasion tricks, live phishing kits, unknown binary files, and hacking utilities like Cobalt Strike loaders and reverse shells.

Additionally, BC says that the dump reveals Chrome browsing histories connected to suspicious GitHub accounts, VPN purchases, and hacking forums. There are signs of activity linked to Taiwan government and military websites and internal SSH connections.

While some of these details were previously known, the leak connects Kimsuky’s tools and operations in new ways, effectively exposing their infrastructure. Security experts say the breach may cause short-term disruptions but is unlikely to stop Kimsuky’s activities long-term.

BC say it is attempting to reach out to security researchers to verify the leak’s authenticity and will update with new information as it becomes available.