Getting information directly from the expert, without interpretation
In the quiet corridors where policy analysis meets professional courtesy, North Korea's Thallium hacking group has discovered something more powerful than malware: the simple human instinct to respond to a colleague's request. Beginning in January 2022, operatives posing as respected think tank figures reached out to foreign policy experts, asking them to share their analysis on North Korean security matters — and many obliged, unknowingly feeding intelligence directly to Pyongyang. The episode reveals how the most sophisticated intrusions no longer require technical mastery, only the exploitation of trust embedded in professional culture.
- A routine-looking email request to analyst Daniel DePetris unraveled into a coordinated intelligence operation the moment he verified it with the real sender — who had also been impersonated.
- Thallium, active since 2012 and linked to the North Korean regime, has abandoned its traditional malware playbook in favor of something far more disarming: simply asking experts what they think.
- Microsoft's Threat Intelligence Center confirmed that multiple North Korea specialists had already unknowingly handed substantive policy analysis to fake accounts before the scheme was detected.
- The campaign targets the professional reflex of the policy world itself — experts who publish, speak, and respond to inquiries are structurally vulnerable to a method that mimics legitimate outreach.
- The shift signals a broader strategic intent: rather than intercepting communications and guessing at meaning, Pyongyang now seeks direct, interpreted insight into how the West is thinking about nuclear diplomacy and security.
When Daniel DePetris, a U.S.-based foreign policy analyst, received what appeared to be a routine email from Jenny Town of the 38 North think tank asking him to write on North Korean security, he had no immediate reason for suspicion. Only when he followed up with Town directly did the deception surface — she had sent nothing, and had herself received a fraudulent message in her name.
The emails were the work of Thallium, a hacking group long believed to operate on behalf of the North Korean regime. Since at least 2012, the group had pursued a familiar technical playbook: spear-phishing, credential theft, malicious links. But beginning in January 2022, they pivoted. Rather than infiltrating systems, they began impersonating legitimate researchers and policy figures, directly soliciting expert views on North Korean policy, potential nuclear tests, and diplomatic strategy.
Microsoft's Threat Intelligence Center tracked the campaign and found that multiple North Korea specialists had unknowingly provided substantive analysis to fake accounts. As researcher James Elliott observed, the method was strikingly efficient — the attackers were receiving expert interpretation firsthand, with no need to decode stolen documents or intercept ambiguous communications.
The tactic exposed a structural vulnerability in the policy world. Analysts and academics are professionally disposed to engage, to share their thinking, to respond to what looks like legitimate inquiry. DePetris's instinct to verify saved him. But the harder question lingered: how many others had simply answered, written their analysis, and sent it back — never knowing they had become an unwitting source for Pyongyang's intelligence apparatus.
Daniel DePetris, a foreign policy analyst based in the United States, opened an email in October that appeared to come from Jenny Town, director of the 38 North think tank. The message asked him to write an article on North Korean security matters. It looked routine. It wasn't.
When DePetris followed up with Town to discuss the assignment, he discovered she had sent no such request. Town herself had received a similar fraudulent email. What DePetris had stumbled into was the opening move of a sophisticated intelligence operation—one that revealed a fundamental shift in how North Korea's hackers now work. Instead of infiltrating computers, planting malware, or stealing passwords, they were simply asking experts to hand over their analysis.
The emails were part of a campaign by Thallium, a hacking group long suspected of working on behalf of the North Korean regime. Cybersecurity researchers at Microsoft and elsewhere had been tracking the group's evolution. For years, Thallium relied on the traditional playbook: spear-phishing messages designed to trick targets into revealing credentials or clicking malicious links. But beginning in January, the group pivoted to something far simpler and, as it turned out, far more effective. They began impersonating legitimate researchers and policy figures, reaching out to academics, analysts, and think tank experts with direct requests for their views on North Korean policy, Chinese responses to potential nuclear tests, and whether a softer diplomatic approach might be warranted.
The targets were carefully chosen. Microsoft researchers identified multiple North Korea experts who had unknowingly provided substantive information to fake accounts controlled by the attackers. The goal appeared clear: gain direct insight into how Western governments and influential analysts were thinking about North Korea, without the guesswork that comes from stealing intercepted communications or leaked documents. As James Elliott of Microsoft's Threat Intelligence Center explained, the attackers had found a method that worked with stunning simplicity. "The attackers are getting the information directly from the horse's mouth," he said, "and they don't have to sit there and make interpretations because they're getting it directly from the expert."
Thallium itself was not new. A 2020 report from U.S. government cybersecurity agencies documented that the group had been active since 2012, tasked by Pyongyang with gathering intelligence globally. Historically, they had targeted government officials, academics, think tank researchers, and human rights organizations. But this new approach represented a meaningful evolution in tradecraft. Rather than relying on technical sophistication or malware delivery, the hackers were exploiting something more fundamental: the willingness of experts to engage with what appeared to be legitimate professional inquiries.
The campaign raised uncomfortable questions about the permeability of the policy world. Experts in foreign affairs, by training and temperament, are inclined to share their thinking. They publish, they speak at conferences, they respond to interview requests. The line between legitimate professional outreach and intelligence gathering had become blurry. DePetris's quick thinking—verifying the request with Town directly—had exposed the scheme. But how many others had simply answered the questions, written the analysis, and sent it back, never knowing they were feeding an intelligence operation run from Pyongyang?
Microsoft researchers said the tactic had emerged in January and had proven remarkably successful. The attackers had completely changed their operational approach, Elliott noted, moving away from the technical complexity that had defined their earlier campaigns. What remained to be seen was whether Western experts and institutions would adjust their own practices in response—or whether the simplicity and effectiveness of the method would make it a template for intelligence services worldwide.
Citas Notables
The attackers are getting the information directly from the horse's mouth, and they don't have to sit there and make interpretations because they're getting it directly from the expert.— James Elliott, Microsoft Threat Intelligence Center
I figured out pretty quickly this was a widespread campaign.— Daniel DePetris, foreign policy analyst
La Conversación del Hearth Otra perspectiva de la historia
Why would North Korea shift away from malware and password theft? Isn't that more reliable?
Malware requires technical sophistication and leaves traces. But if you can get an expert to simply write down their analysis and email it to you, you have the real thing—their actual thinking, not an intercepted memo or a leaked document.
So they're betting that experts will just... answer?
Exactly. A researcher gets an email from what looks like a legitimate think tank director asking for their views on policy. Most experts are trained to engage with professional inquiries. Why wouldn't they respond?
But DePetris caught it. He verified with the real director.
He did, and that's the exception. Microsoft found multiple experts who provided information without realizing they were talking to an imposter. The campaign worked because it exploited normal professional behavior.
What were they actually trying to learn?
Western policy thinking on North Korea—how governments view the regime's nuclear program, what diplomatic approaches might work, how China might react. The kind of strategic insight that's hard to steal but easy to get if someone just tells you.
Is this a permanent shift, or just one campaign?
It's too early to say, but the fact that it worked so well suggests other intelligence services are probably watching. If North Korea found a method that's simpler and more effective than malware, others will likely try it too.