North Korean Hackers Sent 120,000 Emails — And One Click Could’ve Cost You Everything

From late 2024 to early 2025, over 120,000 phishing emails capable of stealing accounts with a single click were distributed. The alarming truth is that these emails are not just spam—they have been traced back to a North Korean hacking group.

On Tuesday, South Korea’s National Office of Investigation under the Korean National Police Agency announced that 126,266 spoofed emails—some titled “Disclosure of Counterintelligence Martial Law Documents”—were confirmed as North Korean hacking attempts. The email subject lines were crafted to arouse curiosity, with titles like Today’s Horoscope, Concert Invitation, and Tax Refund Confirmation.

From November 2024 to January 2025, these phishing emails were sent to 17,744 individuals, and 120 victims had their portal site IDs and passwords stolen. Fortunately, no classified data leaks or financial damages have been confirmed.

A typical phishing email included a button labeled “Check eligibility” at the bottom of a message titled “Tax Refund Amount Inquiry.” Clicking the button redirected recipients to a fake login page that mimicked a legitimate portal site. Once a user entered their account credentials, the data was immediately transmitted to the North Korean hacking group.

North Korea reportedly used 15 South Korean servers rented through foreign companies and even developed a custom email distribution program. This software included features to track, in real time, whether the email was opened, whether the phishing site was accessed, and whether login credentials were entered.

North Korea’s Evolving Hacking Tactics: “Avoid Clicking on Emails from Unknown Senders”

South Korean police assessed that the operation bore clear signs of a North Korean hacking group. Traces of North Korean language patterns were found in the server logs, and some servers used in the attack were previously linked to North Korean cyberattacks. The source IP addresses were located near the North Korea-China border, and there was evidence of attempts to collect information related to defectors and military personnel.

This incident is particularly notable because it marks North Korea’s shift from precision-targeted attacks to a cost-efficient hacking strategy.

In the past, North Korean hackers created custom content, such as a political analysis of the North Korean New Year’s address, and manually sent it to foreign affairs and security experts. Now, they have transitioned to a mass-distribution model using automation tools and publicly available online content to target a broader audience indiscriminately.

A police spokesperson emphasized, “To prevent damage, never open emails from unknown senders, avoid clicking on links or attachments, and always verify the URL of any website that requests login credentials.”