Police say North Korea impersonated horoscope writers, counterintelligence command in 120,000 phishing emails
Published: 15 Apr. 2025, 15:06
Updated: 15 Apr. 2025, 20:24
Audio report: written by reporters, read by AI
![Kim Young-woon, head of the National Office of Investigation's (NOI) cyberterrorism investigation unit, speaks during a briefing on the North Korean hacking emails case at the NOI headquarters in Seodaemun District, western Seoul, Seoul on April 15. [NEWS1]](https://koreajoongangdaily.joins.com/data/photo/2025/04/15/0916b9ef-46ca-4ac9-8ab0-073a9a4d2b2a.jpg)
Kim Young-woon, head of the National Office of Investigation's (NOI) cyberterrorism investigation unit, speaks during a briefing on the North Korean hacking emails case at the NOI headquarters in Seodaemun District, western Seoul, Seoul on April 15. [NEWS1]
North Korean hackers sent more than 120,000 phishing emails over a two-month period, impersonating subjects such as the Defense Counterintelligence Command and horoscope subscriptions in an attempt to steal personal information, South Korean police said on Tuesday.
An investigation into phishing emails sent last December had confirmed North Korea’s involvement, the National Office of Investigation (NOI) under the National Police Agency announced in a briefing on Tuesday.
Police began investigating after confirming that, at 1:45 p.m. on Dec. 11, an email titled “Defense Counterintelligence Command's Martial Law Documents Revealed” had been distributed to an unspecified number of recipients.
The email encouraged recipients to download an attached file, claiming it contained content prepared under the direction of former Defense Counterintelligence Commander Yeo In-hyung, reviewing whether former President Yoon Suk Yeol had the right to refuse a National Assembly request to lift martial law. The attachment contained malware that would be executed upon download.
The Ministry of Science and ICT warned of a large-scale distribution of hacking emails after these emails were distributed.
North Korean hacking groups sent 126,266 phishing emails to 17,744 individuals between November 2024 and January 2025, according to police. Police secured 15 domestic servers used to send the emails and identified evidence of North Korea's cyberattack activity. North Korean hackers are believed to have rented these servers through foreign companies to bypass spam filters and other barriers.
![The National Office of Investigation (NOI) of the National Police Agency held a briefing on April 15 and announced that it had captured evidence that a North Korean hacker group was sending a large number of phishing emails to steal personal information. [NATIONAL OFFICE OF INVESTIGATION]](https://koreajoongangdaily.joins.com/data/photo/2025/04/15/85704bb6-4962-47ba-b78c-8414101e9378.jpg)
The National Office of Investigation (NOI) of the National Police Agency held a briefing on April 15 and announced that it had captured evidence that a North Korean hacker group was sending a large number of phishing emails to steal personal information. [NATIONAL OFFICE OF INVESTIGATION]
The North Korean group used approximately 30 types of impersonation emails. Some posed as daily horoscopes, economic articles, health newsletters or tax refund notices. Others mimicked invitations to the concerts of famous singers such as Lim Young-woong.
Recipients who clicked links within the emails were directed to spoofs of popular websites like Naver or Google. Victims were prompted to enter their IDs and passwords on these counterfeit sites.
Police discovered that the fake sites’ URLs mimicked real ones but included additional terms like “auth” or “login.” The senders' email addresses were also disguised to resemble those official agencies or acquaintances, such as “seoul-news.”
Forensic analysis of the secured servers uncovered significant traces of North Korean involvement. The servers matched those used in previous North Korean cyberattacks, and the originating IP addresses were allocated to Liaoning Province, a border region between North Korea and China.
![Fake emails that were found to have been used by a North Korean hacker group for phishing crimes through mass email transmission. [NATIONAL OFFICE OF INVESTIGATION]](https://koreajoongangdaily.joins.com/data/photo/2025/04/15/08721777-fa32-4d1a-9a2b-b5863e538a57.jpg)
Fake emails that were found to have been used by a North Korean hacker group for phishing crimes through mass email transmission. [NATIONAL OFFICE OF INVESTIGATION]
In particular, police found that the servers used North Korean-specific vocabulary, such as pogu for “port,” gidong for “operation,” and pege for “page.”
“These terms and vocabulary were identified based on materials published by the Korea Institute for National Unification,” a police official explained.
Of the 17,744 people who received the phishing emails, 120 were found to have entered personal information such as their ID or password, though no sensitive information was leaked. Police have advised these individuals to take protective measures.
Police noted that while North Korean hackers have traditionally targeted individuals working in North Korea-related fields or government officials in defense or foreign affairs, this attack was different in that it involved the mass distribution of fake advertising emails to the general public.
Authorities are also investigating potential links to known North Korean hacking groups, such as Lazarus, under Pyongyang’s Reconnaissance General Bureau.
“To prevent damage from phishing emails, it is essential to avoid opening emails from unknown senders or clicking on attachments or links,” a police official emphasized.
Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY NA UN-CHAE [[email protected]]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)