Saber and cyb0rg, two self-identified hacktivists, never expected to uncover something this shocking. They tracked North Korean hackers who are believed to be conducting some of the world’s largest cryptocurrency robberies—including a staggering $1.4 billion dollar raid on the crypto exchange ByBit. Taken together, their disclosures go to the increasing complexity and prevalence of cyber crimes perpetrated by North Korea. In 2024 year-to-date, the country is said to have pilfered more than $659 million in digital assets alone. The hackers argue that their discovery can help identify more victims and stop future thefts.
In early 2025, North Korean hackers came under fire for an alarming increase in crypto heists. Investigators accused them of having used their activities to help fund the regime’s growing nuclear weapons program. Most analysts agree that these hackers largely pretend to be remote IT personnel, which has allowed them access into every sector from hospitals to law enforcement agencies. Specifically, they have zeroed in on government employees with cybersecurity experience, sounding the alarm across the cybersecurity community.
Saber and cyb0rg have attributed a North Korean hacker named Kim to several of these cyberespionage campaigns. These activities were implemented as a service to the North Korean government. According to the pair, they had full access to Kim’s computer for four months. With that freedom, they discovered hacking tools, exploits, and the infrastructure behind these operations.
“What they are doing on a daily basis and so on,” – Saber
Their research eventually prompted them to write an article that was published in the hacker e-zine Phrack, walking through their investigation. Even before they boarded, the duo was convinced that Kim had some connections to the Chinese government. They highlight his work schedule to argue that he works from a home office in China. Specifically, Kim refused to work through Chinese holidays and had Kim use Google Translate to translate Korean documents into simplified Chinese.
Saber and cyb0rg presented a wealth of evidence exposing ongoing military hacks against civilian companies in South Korea and Taiwan. They went above and beyond by notifying the targeted companies of the dangers Kim and his cohorts presented.
“These nation-state hackers are hacking for all the wrong reasons. I hope more of them will get exposed; they deserve to be,” – Saber
The hacktivists’ main point is that their intentions are more in line with exposing the bad guys and less about getting rich. Saber acknowledged that it would do their study—and everyone else involved—no good to keep their findings under wraps.
“Keeping it for us wouldn’t have been really helpful,” – Saber
By making the information public, Saber hopes to provide researchers with new tools to detect such cyber threats and assist potential victims in recognizing vulnerabilities.
“By leaking it all to the public, hopefully we can give researchers some more ways to detect them,” – Saber
Cyb0rg stressed that their approach could be considered unlawful. The artifacts they share are of immense value to the cybersecurity community.
“Illegal or not, this action has brought concrete artifacts to the community; this is more important,” – cyb0rg
Despite their best intentions though, Saber had little faith any change would come from within the North Korean regime itself. He contended that Kim’s provocation lets the world’s most oppressive leaders win. They don’t do a damn thing to bring any positive change to the North Korean people.
“Not much can be done about this, definitely being more careful though :),” – Saber