A black hat hacker who attempted to sell the personal information of 31 million South Koreans on the dark web was identified in less than half a day with the assistance of artificial intelligence, an expert disclosed on Wednesday.
“The initial report about the hacker was too sensitive to share with anyone but law enforcement,” said Seo Hyun-suk, country director of South Korea for the cybersecurity firm Group-IB, during his presentation at the Cyber Threat Intelligence Korea Conference, which took place on December 7.
From November 12 to December 7 of last year, the hacker who used “zerocool888” as their ID uploaded a series of postings on a dark web forum, saying that he or she acquired 31 million South Koreans’ personal information and then put the database up for sale. The volume of the data that zerocool888 uploaded on RaidForum included nearly 60% of the entire population of South Korea.
The researchers for Group-IB started their investigation on November 18, discovering the hacker’s Telegram account and email address. After concluding that the exposed information, such as the ID zerocool888, was newly opened to cut the connections from the past, the investigators found a new fact that the hacker had a different ID until recently: zerocool88, only a digit shorter than the current one.
Through additional analysis, which was leveraged by AI, the team was able to connect the dots between the two different users and specify the hacker to be one person: A foreign man who resided in Pohang-si, a Southeastern city in South Korea. Once they identified zerocool888, the team went through at least four more verification procedures to confirm their conclusion. Even though the hacker used various names throughout the web and deleted most of his traces, the researchers could discern his activities in almost every channel by looking into their company’s database which archives documents on the deep and dark web.
“It did not take half a day to receive the report,” said Seo, referring to the AI platform that the researchers used for the zerocool888 investigation. Group-IB calls it an AI cybercrime investigation platform, or AICIP. It depends on each case, but it usually takes a few days or months for cybercrime investigators to identify threat actors. “To connect dots and verify findings among the overwhelming data, automation leveraged by AI is essential,” asserted Seo.
The Readable participated in the CTI Korea Conference as the media sponsor.
