AI helped crime investigators identify hacker in half-day

By Dain Oh, The Readable
Dec. 7, 2022 8:40PM KST

A black hat hacker who attempted to sell the personal information of 31 million South Koreans on the dark web was identified in less than half a day with the assistance of artificial intelligence, an expert disclosed on Wednesday.

“The initial report about the hacker was too sensitive to share with anyone but law enforcement,” said Seo Hyun-suk, country director of South Korea for the cybersecurity firm Group-IB, during his presentation at the Cyber Threat Intelligence Korea Conference, which took place on December 7.

Seo Hyun-suk, country director of South Korea for Group-IB, is giving a presentation at the Cyber Threat Intelligence Korea Conference on December 7. Photo by Kuksung Nam, The Readable

From November 12 to December 7 of last year, the hacker who used “zerocool888” as their ID uploaded a series of postings on a dark web forum, saying that he or she acquired 31 million South Koreans’ personal information and then put the database up for sale. The volume of the data that zerocool888 uploaded on RaidForum included nearly 60% of the entire population of South Korea.

The researchers for Group-IB started their investigation on November 18, discovering the hacker’s Telegram account and email address. After concluding that the exposed information, such as the ID zerocool888, was newly opened to cut the connections from the past, the investigators found a new fact that the hacker had a different ID until recently: zerocool88, only a digit shorter than the current one.

Through additional analysis, which was leveraged by AI, the team was able to connect the dots between the two different users and specify the hacker to be one person: A foreign man who resided in Pohang-si, a Southeastern city in South Korea. Once they identified zerocool888, the team went through at least four more verification procedures to confirm their conclusion. Even though the hacker used various names throughout the web and deleted most of his traces, the researchers could discern his activities in almost every channel by looking into their company’s database which archives documents on the deep and dark web.

“It did not take half a day to receive the report,” said Seo, referring to the AI platform that the researchers used for the zerocool888 investigation. Group-IB calls it an AI cybercrime investigation platform, or AICIP. It depends on each case, but it usually takes a few days or months for cybercrime investigators to identify threat actors. “To connect dots and verify findings among the overwhelming data, automation leveraged by AI is essential,” asserted Seo.

ohdain@thereadable.co

The Readable participated in the CTI Korea Conference as the media sponsor.

The cover image of this article was designed by Areum Hwang.


Dain Oh is an award-winning cybersecurity journalist based in South Korea and the founding editor-in-chief of The Readable by S2W. Before joining S2W, she worked as a reporter for The Electronic Times, the top IT newspaper in Korea, covering the cybersecurity industry on an in-depth level. She reported numerous exclusive stories, and her work related to the National Intelligence Service led to her being honored with the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology in a unanimous decision. She was also the first journalist to report on the hacking of vulnerable wallpads in South Korean apartments, which later became a nation-wide issue.