The attacker gets information directly from the source, unfiltered and candid
In the quiet corridors of foreign policy research, a new kind of deception has taken root: North Korean intelligence operatives, working under the name Thallium, have abandoned the tools of traditional cyber intrusion in favor of something far more elegant and unsettling — simply asking. Beginning in early 2022, these operatives began impersonating respected think tanks and researchers to commission genuine policy analysis from the very experts who shape international understanding of North Korea. The operation, uncovered in part when Washington analyst Daniel DePetris traced a suspicious email back to a fabricated identity, reveals how the oldest human vulnerability — the willingness to help a trusted colleague — has become the most exploitable gap in modern intelligence defense.
- North Korean hackers have abandoned malware entirely, instead posing as legitimate researchers and journalists to solicit candid policy analysis directly from the experts who produce it.
- Some of the most influential North Korea analysts unknowingly handed over full research reports before discovering the requests came from Pyongyang's intelligence apparatus, not their professional peers.
- The deception reached surreal heights when the real Jenny Town of 38 North was copied into an email thread alongside an impersonator using her own identity, collapsing the boundary between attacker and target.
- Microsoft's threat intelligence team warns that this approach is nearly impossible to stop with conventional cybersecurity tools — no malware, no suspicious links, just a convincing email and a plausible request.
- The questions Thallium asked were surgically precise: how would China react to a new nuclear test, what did U.S. policy signals suggest, and how might the Ukraine war reshape North Korean calculations — intelligence gold, delivered voluntarily.
When Washington-based foreign policy analyst Daniel DePetris received an email in October appearing to come from Jenny Town, director of the 38 North think tank, it looked like a routine professional request. It was not. A quick follow-up with Town revealed she had sent nothing of the sort — and that she herself had been targeted by the same sender. DePetris had stumbled into the front edge of a quietly running intelligence operation.
The campaign belongs to Thallium, also known as Kimsuky, a North Korean hacking group tracked by U.S. cybersecurity agencies since 2012. For a decade, Thallium operated through conventional spear-phishing — stealing credentials, planting malware, compromising accounts. But starting in January 2022, the group shifted to something far simpler and more effective: impersonation. Posing as think tanks, academic institutions, and journalists, operatives began emailing prominent North Korea specialists with seemingly legitimate requests — write us a paper, review this manuscript, share your analysis. Some experts provided full reports before realizing they had been deceived.
The targets were carefully chosen. Microsoft's threat intelligence team identified multiple specialists whose work directly shapes how foreign governments and international media interpret North Korean policy. The impersonation of Town was particularly elaborate — attackers used email addresses ending in ".live" instead of ".org" while copying her signature exactly, and in one exchange, included the real Town in a reply alongside her own impersonator. Three weeks after the fake 38 North request, a separate attacker impersonated DePetris himself, emailing other researchers with a draft manuscript and offering $300 for reviews — payment that was never intended to arrive.
James Elliott of Microsoft's Threat Intelligence Center explained the method's devastating simplicity: there is no malware to detect, no suspicious link to flag. The attacker receives unfiltered, expert-level intelligence directly from the source. "In most cases it comes down to the recipient being able to figure it out," Elliott said — a thin and unreliable last line of defense.
The questions Thallium posed were precise and revealing: how would China respond to a new North Korean nuclear test, might a softer diplomatic posture be justified, what did U.S. and Russian policy signals suggest about the Ukraine conflict's effect on Pyongyang's calculations. DePetris concluded the operation was designed to give North Korea candid, unguarded assessments of American intentions. A U.N. panel investigating sanctions evasion has since listed Thallium's activities as espionage aimed at helping North Korea circumvent international restrictions — intelligence gathered not through infiltration, but through the disarming simplicity of asking.
Daniel DePetris, a foreign policy analyst based in Washington, opened an email in October that appeared to come from Jenny Town, director of the 38 North think tank. The message asked him to write an article on North Korean security issues. It looked routine. It wasn't.
When DePetris followed up with Town directly, he discovered she had sent no such request. Worse, Town herself had been targeted by the same sender. What DePetris had stumbled into was the leading edge of a new intelligence operation: North Korean hackers were no longer trying to steal passwords or plant malware. They were simply asking policy experts to write reports for them, and many were complying without realizing who was actually asking.
The campaign belongs to a hacking group researchers call Thallium, also known as Kimsuky, which U.S. government cybersecurity agencies have tracked since 2012. For a decade, Thallium operated like most state-sponsored hacking groups—sending spear-phishing emails designed to compromise accounts, steal credentials, or load destructive code onto computers. But starting in January 2022, the group shifted tactics entirely. Instead of technical attacks, they began impersonating think tanks, academic institutions, and journalists. They would email prominent North Korea experts with seemingly legitimate requests: write us a paper, review this manuscript, share your thoughts on policy questions. Some experts provided full reports and detailed analysis before realizing they had been deceived.
The targets were not random. Microsoft's threat intelligence team identified multiple North Korea specialists who had unknowingly handed over substantive research to Thallium operatives. These were people whose work shapes how foreign governments and international media understand North Korean policy. Jenny Town herself received emails using addresses that mimicked her official account—ending in ".live" instead of ".org"—but copied her signature perfectly. In one surreal exchange, the attacker posing as Town included the real Town in a reply, creating a conversation between the imposter and her actual self.
DePetris described the emails as sophisticated. They included think tank logos, professional formatting, and requests that seemed entirely plausible to someone in his field. Three weeks after the initial fake request from 38 North, a different attacker impersonated DePetris himself, emailing other researchers with a draft manuscript on North Korea's nuclear program and offering $300 for manuscript reviews. The hackers never intended to pay. They were gathering intelligence.
James Elliott of Microsoft's Threat Intelligence Center explained why this approach works so well. The method is simple, fast, and devastatingly effective. It bypasses every technical security system designed to catch malicious emails—there is no malware to detect, no suspicious link to flag. The attacker gets information directly from the source, unfiltered and candid, without having to steal someone's email account and sift through thousands of messages. "For us as defenders, it's really, really hard to stop these emails," Elliott said. "In most cases it comes down to the recipient being able to figure it out."
The questions Thallium asked were precise and revealing. They inquired about China's likely response to a new North Korean nuclear test. They asked whether a softer diplomatic approach to North Korean aggression might be justified. They probed how Japan was responding to North Korean military activity. One email, posing as a reporter from Japan's Kyodo News, asked a 38 North staff member how the Ukraine war might factor into North Korean calculations, and what U.S., Chinese, and Russian policies toward the conflict might signal. DePetris concluded the operation was designed to give Pyongyang candid assessments of American policy intentions and where those intentions were heading.
U.S. intelligence agencies believe North Korea has grown increasingly dependent on cyber operations as international sanctions have tightened and the country's isolation has deepened. A U.N. panel investigating sanctions evasion explicitly listed Thallium's activities as espionage aimed at helping North Korea circumvent international restrictions. The operation represents a fundamental shift in how state actors can gather intelligence in the digital age—not through theft or infiltration, but through the simple, direct act of asking.
Citações Notáveis
The attackers are having a ton of success with this very, very simple method. The attackers have completely changed the process.— James Elliott, Microsoft Threat Intelligence Center
One can only surmise that the North Koreans are trying to get candid views from think tankers in order to better understand U.S. policy on the North and where it may be going.— Daniel DePetris, foreign policy analyst
A Conversa do Hearth Outra perspectiva sobre a história
Why would a policy expert just write a report for someone they don't know?
Because the request comes from someone they do know—or appears to. The email looks like it's from Jenny Town or a legitimate think tank. The person asking seems credible, the topic is in their wheelhouse, and there's no obvious red flag.
But surely these experts are cautious about who they share their work with?
They are, usually. But this isn't a stranger asking for secrets. It's a colleague or institution asking for something they already do—write analysis, review manuscripts. The attacker is asking for exactly what the expert would normally provide to a legitimate client.
So the hackers are relying on the target's own routine?
Exactly. They're not trying to trick someone into doing something unusual. They're asking for something completely normal, just from the wrong person. And by the time the expert realizes the request wasn't real, they've already handed over substantive thinking on North Korean policy.
What makes this better than stealing someone's email account?
Speed, mostly. Breaking into an account takes time and technical skill. This takes a convincing email. You also get the expert's actual thinking, not fragments scattered across their inbox. And there's nothing to detect—no malware, no suspicious code, just a conversation.
Can security teams stop this?
Not easily. Traditional defenses look for malicious files or links. This has neither. It comes down to the person receiving the email noticing something is off—checking the sender address carefully, verifying the request directly with the supposed sender.
And how often do people do that?
Not often enough. That's why it's working.