The Watched Watching Back: North Korean Threat Actors Investigate Public Threat Intelligence

Sreekar Madabushi | Aleksandar Milenkoski

Threat actors have long demonstrated an interest in public threat intelligence reporting about them. This interest is driven by strategic motivations: to assess their exposure, adapt their operations, and undermine the effectiveness of defensive measures.

In this talk, we present our investigation into a campaign in which suspected North Korean threat actors showed significant interest in Validin’s threat intelligence data, particularly infrastructure publicly attributed to them and related disclosures about their operations. We detail how we attributed this activity to a specific North Korean threat cluster known for cyberespionage and financial crimes with a focus on targeting individuals and organizations in the cryptocurrency industry.

Our investigation also uncovered backend web code used by the threat actors to support their campaigns — likely exposed due to operational security lapses.