They were getting it directly from the expert
In the quiet corridors where policy is shaped and expertise is traded, North Korean intelligence operatives have found a disarmingly simple path through the most sophisticated defenses: they ask. By impersonating respected think tank directors and journalists, a hacking group known as Thallium has been soliciting candid analysis from Western foreign policy experts — not through malware or stolen passwords, but through ordinary professional conversation. The campaign, tracked by Microsoft and active since at least early 2022, reveals how the oldest tools of espionage — patience, identity, and trust — can outmaneuver the most advanced cybersecurity infrastructure.
- North Korean operatives are bypassing firewalls and antivirus software entirely by simply emailing experts and asking them to share their policy analysis — a tactic with no technical signature to detect.
- Respected analysts, some of whom completed full research reports or manuscript reviews, only discovered the deception after the damage was done, leaving institutions scrambling to warn their networks.
- The questions being asked — about China's reaction to nuclear tests, Japan's response to provocations, Ukraine's effect on Pyongyang's calculus — reveal a precise intelligence-gathering agenda aimed at mapping Western government intentions.
- Microsoft's threat analysts describe the defense problem as nearly intractable: with no malicious links or attachments, the entire burden of detection falls on the individual recipient's vigilance.
- Security experts and targeted institutions are now leaning on awareness campaigns and verification protocols, knowing that no technical solution yet exists to stop a well-crafted impersonation email.
In October, Washington-based foreign affairs analyst Daniel DePetris nearly accepted what appeared to be a legitimate writing commission from the director of 38 North, a prominent Korean affairs think tank. A last-minute check revealed the email was fabricated — the sender was impersonating Jenny Town, the think tank's real director, who knew nothing of the exchange. DePetris quickly understood he had encountered something coordinated and deliberate.
The group behind the scheme is Thallium, also known as Kimsuky, a North Korean hacking collective active since 2012 that has long targeted governments, academics, and human rights organizations. But early in 2022, their methods shifted. Rather than deploying malware or harvesting passwords, they began simply asking questions — posing as researchers, journalists, and think tank figures to solicit expert opinions on North Korean policy. Microsoft threat analyst James Elliott noted the tactical logic: why hack into an inbox and sift through thousands of emails when you can ask an expert directly for their unfiltered views?
The targets were not chosen at random. Multiple North Korea specialists had already responded with substantive analysis before realizing they had been deceived. The questions were pointed and strategic — probing Western assumptions about Chinese reactions to nuclear tests, Japan's posture toward military provocations, and how the war in Ukraine might factor into Pyongyang's calculations. Some experts had written full reports. None were ever paid the fees they were promised.
Town observed that the fake emails mimicked her signature perfectly, differing only in a domain ending. In one unsettling episode, the impersonator copied her on a reply to an email her fake identity had supposedly sent. DePetris himself was later impersonated, with his name used to solicit manuscript reviews from other analysts.
The campaign's effectiveness lies in its simplicity. As North Korea has grown more isolated under sanctions and pandemic restrictions, Pyongyang has leaned ever harder on cyber operations for intelligence. This approach — low-tech, conversational, and nearly invisible to automated defenses — represents a meaningful evolution in that effort. Security experts acknowledge they have no reliable technical countermeasure, leaving awareness as the only shield.
In October, Daniel DePetris, a foreign affairs analyst based in Washington, received what looked like a routine professional email. The director of 38 North, a respected think tank focused on Korean affairs, was commissioning him to write an article. He almost said yes. Then he checked.
There was no such commission. The email was fake. The sender was someone else entirely—a suspected North Korean intelligence operative posing as Jenny Town, the think tank's actual director. When DePetris contacted Town to confirm, she had no idea what he was talking about. That's when he understood: this wasn't a one-off phishing attempt. It was part of something larger, a coordinated campaign targeting people who shape how the West thinks about North Korea.
Cybersecurity researchers have been tracking a hacking group known as Thallium, also called Kimsuky, for years. Since 2012, the group has targeted government employees, academics, human rights organizations, and think tanks across the globe. But in January of this year, something shifted. The hackers stopped trying to infect computers with malware. They stopped trying to steal passwords or trick people into clicking malicious links. Instead, they simply asked questions. They posed as legitimate researchers, journalists, and think tank directors, and they asked experts to share their thoughts on North Korean policy, to write papers, to offer analysis. The method was almost disarmingly simple, and it was working.
James Elliott, a threat intelligence analyst at Microsoft, explained the appeal from the attackers' perspective: they were getting information directly from the source, unfiltered and uninterpreted. No need to hack into email accounts and sift through thousands of messages. No need to guess what an expert actually believed. Just ask. The tactic bypassed traditional security defenses because there was nothing technically malicious about it—no malware, no suspicious links, no infected attachments. It was just conversation. "For us as defenders, it's really, really hard to stop these emails," Elliott said. The burden fell entirely on the person receiving the message to figure out whether it was real.
The targets were carefully chosen. Microsoft identified multiple North Korea experts who had already responded to these fake inquiries, providing substantive analysis and research. Some had even completed full reports or manuscript reviews before realizing they'd been deceived. The emails asked about specific policy questions: How would China react to a new North Korean nuclear test? Should the West take a quieter approach to North Korean aggression? What was Japan's likely response to military provocations? How did the war in Ukraine factor into Pyongyang's calculations? These weren't random questions. They were the kinds of things a government trying to understand Western policy positions would want to know.
Town, the director whose identity was stolen, noticed that some of the fake emails used addresses ending in ".live" instead of her official ".org" account, but they copied her full signature line perfectly. In one surreal exchange, the impersonator included her in a reply to an email the fake version of her had supposedly sent. DePetris received a follow-up email weeks later, this time impersonating him, asking other analysts to review a manuscript on North Korea's nuclear program. The email offered three hundred dollars for the work. Elliott confirmed that the hackers never paid anyone. They never intended to.
What makes this campaign particularly effective is its low-tech elegance. Impersonation is an old spy craft, but as North Korea has grown more isolated under international sanctions and pandemic restrictions, Western intelligence agencies believe Pyongyang has become increasingly dependent on cyber operations to gather the intelligence it needs. A U.N. panel investigating sanctions evasion identified Thallium's activities as espionage designed to help North Korea avoid economic restrictions. The group has been operating this way for over a decade, but this new approach—simply asking for what you want to know—represents a tactical evolution. It's faster than traditional hacking, harder to detect, and it produces cleaner, more reliable information. DePetris summed up what he believed was happening: "One can only surmise that the North Koreans are trying to get candid views from think tankers in order to better understand U.S. policy on the North and where it may be going." The campaign continues, and security experts are still searching for ways to defend against it.
Citações Notáveis
The attackers are getting the information directly from the horse's mouth, and they don't have to sit there and make interpretations because they're getting it directly from the expert.— James Elliott, Microsoft Threat Intelligence Center
One can only surmise that the North Koreans are trying to get candid views from think tankers in order to better understand U.S. policy on the North and where it may be going.— Daniel DePetris, foreign affairs analyst
A Conversa do Hearth Outra perspectiva sobre a história
Why would North Korea bother with this approach when they've had hacking capabilities for years?
Because hacking is messy. You break into an email account, you get thousands of messages, most of them useless. You have to interpret what you find. But if you just ask an expert directly, they tell you what they think. It's cleaner, faster, and you get their actual reasoning.
But doesn't it seem obvious that a think tank director wouldn't suddenly email a stranger asking for analysis?
You'd think so. But these emails are sophisticated. They use real logos, they reference work the person is actually doing, they sound professional. And people in that world get commission requests all the time. The barrier to catching it is just awareness, and that's a thin line.
What does North Korea actually do with this information once they have it?
They're trying to understand where Western policy is headed. If you know what American analysts think about your nuclear program, about how China might react, about what Japan will do—that shapes how you plan your own moves. It's intelligence gathering at the policy level.
Is there a technical way to stop this?
Not really. There's nothing malicious in the email itself. No malware, no suspicious links. It's just words. You can't scan for that. It comes down to the person receiving it being skeptical enough to verify who's actually on the other end.
How many people have fallen for it?
Microsoft identified multiple experts who responded substantively. Some completed full research papers before they realized. We don't know the total number, but the fact that it's still happening suggests it's working often enough to be worth the effort.
What does this say about how vulnerable policy experts are?
It says they're operating in a world where their expertise is valuable enough that someone will impersonate their colleagues to get it. And they're not trained to be suspicious of professional inquiries. That's a real gap.