When the world's at stake,
go beyond the headlines.

At this year’s DEF CON conference, hackers thumbing through copies of Phrack thought they were reading about a North Korean leak. Few realized they might be the real targets.

The West’s current advantage in cyber operations depends on the level of mutual trust between an underground hacker culture and the Five Eyes intelligence agencies. That trust has been undermined by what appears to be a sloppy influence operation that blurs the line between legitimate outreach and manipulation.

The recent “APT Down — The North Korea Files” disclosure is significant not only for what it exposes about an adversary’s cyber capability, but for what its packaging reveals about who is manipulating the talent pipeline that turns curious teenage hackers into the technical experts that protect critical infrastructure, design secure systems, and staff cyber commands across the Five Eyes countries.

Unlike China or Russia’s state-directed programs, Western cyber know-how emerges organically from a counterculture that prizes expertise over credentials and creativity over conformity. For trust to be preserved between hackers and intelligence, greater transparency in engagement protocols and congressional oversight are needed to protect the cyber talent ecosystem.

When a Leak Isn’t Really a Leak

In August 2025, 15,000 glossy hard copies of Phrack issue 72 were distributed to attendees at DEF CON 33 in Las Vegas, featuring a detailed analysis of data allegedly swiped from a workstation of a member of North Korea’s “Kimsuky” cyber-espionage group. Thousands more were also given out at BSides Canberra in September.

Being published in Phrack is like being published in Nature for scientists or Rolling Stone for musicians. It isn’t just an e-zine. It’s a hub of hacker culture that has educated three generations of cyber practitioners.

The online release of nine gigabytes of data, including source code, remote access trojans, phishing kits, and logs tied to South Korean targets, accompanied the disclosure. The data appears genuine and operationally useful. It includes details of Linux backdoors planted on compromised systems to enable ongoing access — sloppy tradecraft that makes detection easier. Cyber defenders can leverage these signatures to hunt for Kimsuky command-and-control infrastructure across the internet. Thus, the data’s technical value is undisputed. But what really matters is the influence operation that may be built around the leak.

Indeed, APT Down immediately raised red flags among hackers, first for its unprecedented insight into North Korean cyber operations. But close reading suggests another operation playing out between the lines. The disclosure exhibited the telltale signs of professional intelligence work: pre-notification of victims, analytical polish that reads like a finished product, and hard-copy distribution at elite cyber social gatherings like DEF CON and BSides.

At Threat Canary and prior roles where my work has ranged from emulating advanced adversaries to investigating attacks on critical infrastructure to threat intelligence services, I’ve developed a forensic sense for distinguishing authentic hacktivism from professional intelligence tradecraft.

The anomalies in APT Down’s presentation, distribution, and authorship point to three possibilities: authentic hacktivism by hackers with an intelligence analyst’s flair, a Five Eyes influence operation gone wrong, or adversary action designed to look like the latter. The evidence increasingly rules out the work of hacktivists.

The Hacktivism That Wasn’t

The APT Down leak is missing core features of a genuine hacktivism piece — from the missing story of how access was gained to the authors’ pseudonyms that cannot be found with search engines. This raises suspicion.

A hacktivist performs computer intrusions, attacks, and leaks for ideological reasons rather than for financial gain or ego.

At first glance, APT Down looks like hacktivism. The authors use Protonmail, a privacy-protecting free email service. They leak data through Distributed Denial of Secrets, a popular site for leaks. They offer an email address from “riseup.net,” a platform that describes itself as “providing communication and computer resources to allies engaged in struggles against capitalism and other forms of oppression.”

But the article doesn’t read like authentic hacktivism. Authentic hacktivist leaks usually provide details about how computer systems were hacked into, as well as personal manifestos. When hacker Phineas Fisher exposed the Italian cyber espionage company HackingTeam in 2015, the leak included a detailed “hack back” how-to guide that name-dropped WhatWeb, a web-fingerprinting tool I co-wrote with Brendan Coles. When Aaron Barr, CEO of the U.S. security firm HBGary Federal, which sold its products to the U.S. government, vowed in 2011 to unmask Anonymous, the response was a sweeping data leak with clear narration of methods and motives.

APT Down, by pseudonymous authors “Saber” and “cyb0rg,” breaks the hacktivist pattern. The names are nearly unsearchable — odd if you’re after the widespread attention of Phrack readers. There is no “intrusion narrative” about how nine gigabytes were taken from the workstation. The authors say they pre-notified victims — a typical government move, not a hacktivist one — and the article is thorough and organized like a professional intelligence assessment, not a chaotic hacker diary. Playful section headers — “Dear Kimsuky, you are no hacker” and “Fun Facts and Laughables” — openly mock North Korea’s cyber capability in a way that can help shape readers’ attitudes.

The content of the leak suggests the ostensible target is North Korea. Analysis of a Beijing-Pyongyang nexus and context clues about Chinese holidays and language patterns read like intelligence conclusions, not raw evidence. As such, the packaging of APT Down may mask a secondary target: Western underground hacker culture. If so, it risks undermining the hacker-to-defender talent pipeline that gives the West an asymmetric cyber advantage.

Layered Deception in Action

APT Down employs three tiers of deception, where each layer of discovery discourages deeper investigation.

In the first layer, North Korean cyber espionage tools are exposed, providing genuine insight and value for Western cyber defenders. Most analysts stop here with their “indicators of compromise.”

The second layer alludes to Chinese-North Korean cooperation. In Section 3.5 of the article, the authors note that the cyber-spy used Google Translate to convert Korean into Simplified Chinese. The spy also didn’t work from May 31 to June 2, corresponding with China’s Dragon Boat Festival in 2025. Additionally, the cyber-spy’s computer was set to Korean Standard Time. The authors suggest a Chinese operator is “fulfilling the agenda of North Korea (targeting South Korea) and China (targeting Taiwan) alike.”

Such cooperation is not unprecedented. Defectors have confirmed that North Korea’s elite Bureau 121 cyber unit has operated from China since 2005, using the Chilbosan Hotel in Shenyang as a staging area for attacks while hiding among the city’s large Korean community.

All these details are context clues, not proof of attribution, physical location, or citizenship. They may indicate a Chinese hacker on a North Korean tasking, shared habits and infrastructure, or deliberate staging. The wise approach is to treat the code as real and the story as contested.

Cybersecurity analyst David Sehyeon Baek notes that APT Down is “notable not only for its technical revelations but also for the ethical debate it prompts,” while “showing hints of tool sharing with Chinese actors.” When asked about the broader implications, Baek warned that “poorly executed psychological operations can alienate the very talent pools governments hope to recruit, eroding trust and creating long-term cultural and operational costs.”

The final layer of deception aims to shape how Western hackers perceive threats and intelligence cooperation. By packaging intelligence as hacktivism, someone could sour the hacker community on government collaboration. It is too early to tell whether APT Down was a Five Eyes misstep or the work of an adversary, but the sophistication of it rules out authentic hacktivism. The missing intrusion narrative could reflect operational security. The unsearchable pseudonyms might be new actors, but together with government-style victim notification and intelligence-grade analysis, they reveal a level of professionalism not typically characteristic of a hacktivist.

A Relationship at Risk

The current cyber talent pipeline that turns curious teen hackers into professional consultants and later into cyber leaders and tech company founders is a strategic advantage of the West over hostile state actors. Today’s rebels are tomorrow’s defenders. Influence operations that erode trust between intelligence agencies and hacker communities risk restricting the flow of the pipeline by diverting hacker talent away from cyber consulting and defense into other parts of the economy or even cybercrime. Without this pipeline, the West loses its advantage.

While Russia and China can train state hackers through academies and conscription, they struggle to replicate the creative problem-solving culture that emerges organically from underground communities. Western cyber advantage doesn’t come from formal education alone. It comes from teenagers teaching themselves to break systems years before they reach university. This early-start, curiosity-driven learning produces practitioners with deeper intuition and more creative approaches than institutional training programs can match. Organizational research suggests that state-directed programs can produce competent technicians but cannot easily replicate the iconoclastic mindset that drives breakthrough security research — one that leads hackers to challenge authority, question assumptions, and find novel attack vectors that no curriculum would teach.

For over a decade, the U.S. government and Five Eyes intelligence agencies have worked to cultivate cyber talent in the spaces where cybersecurity talent congregates and where the norms around responsible disclosure and public service are shaped, such as hacker conferences like DEF CON and underground publications like Phrack. At DEF CON 20 in 2012, Gen. Keith B. Alexander, then head of U.S. Cyber Command and the National Security Agency, delivered a keynote emphasizing shared responsibility between the government and the hacker community in defending national security. More recently, former National Security Agency Director Paul Nakasone spoke on stage at DEF CON with founder Jeff Moss. The mutual trust and transparency that exists today took years to build. DEF CON has come a long way since having a “spot the fed” competition at its annual gathering.

If a Five Eyes agency used Phrack to disseminate the APT Down leak, it amounts to self-harm. Conversely, if it was an influence operation by an adversary mimicking a Five Eyes operation, then protection of underground hacker spaces through transparent relationships and disclosure should be formalized in policy.

What to Do Now

The United States and its allies should preserve the spaces where hacker skills mature — vulnerability research, competitions, e-zines, and conferences — and protect freedom to publish, unbreakable encryption, and weaponized exploit code. Cyber defenders should use the leaked data from APT Down to improve Kimsuky detection while treating the narrative with caution.

The Five Eyes intelligence agencies should establish formal liaison protocols for engagement with underground conferences and publications — transparent relationships that preserve trust while enabling information sharing. The National Security Agency and the Australian Signals Directorate have particular responsibility here, given their presence at DEF CON and BSides Canberra, where Phrack issue 72 was distributed. Yet, all Five Eyes countries benefit from the cyber talent pipeline and should coordinate protocols. When intelligence products are placed in cultural venues, disclosure should be standard practice. Oversight bodies in the U.S. Congress — particularly the House and Senate Intelligence Committees — should require regular briefings on any influence operation targeting domestic cultural spaces and establish review mechanisms to ensure such activities, even when intended for defensive purposes, don’t undermine the trust that makes the talent pipeline flow.

The U.S. intelligence community should develop clear doctrine distinguishing legitimate outreach from manipulation. Supporting the hacker community means contributing technical knowledge, creating employment pathways, and respecting community norms. Conversely, exploiting it means covertly placing intelligence products in trusted venues or manipulating community discourse without disclosure. Formal guidelines would clarify which activities require disclosure, protecting both community trust and intelligence equities.

Security researchers, conference organizers, and publication editors — the gatekeepers of hacker culture — should scrutinize anomalous contributions. There is little risk in exposing obvious influence operations — because the next one won’t be so apparent.

If the hacker community loses trust in the venues that teach craft, the talent pipeline that turns curious teenagers into tomorrow’s defenders will corrode. Phrack, DEF CON, and the broader hacker underground aren’t just cultural artifacts — they are strategic assets. Protecting them from manipulation, whether by friend or foe, is a national security imperative.

Andrew Horton is the CTO and co-founder of Threat Canary, a next-generation AI-powered cyber platform. He has led security operations transformations for banks and public-sector organizations and authored the open-source tools WhatWeb and URLCrazy (both in Kali Linux). His work has appeared in security methodologies, including the Open Web Application Security Project Testing Guide, the Penetration Testing Execution Standard, security textbooks, academic publications, and he briefs think tanks on cyber strategy and AI, and digital sovereignty.

Image: Midjourney