Alejandro Cáceres, the hacker who took down North Korea’s internet from his home: ‘My attack was a response to their attempt to spy on me’

The start of 2022 must have been hectic in the high offices of Pyongyang. The North Korean army carried out several ballistic missile tests during the month of January, which for the regime is synonymous with joy and celebration. But the festive mood didn’t last long. Right after the last test, the internet went down across the country. A wave of cyberattacks left all systems on hold for more than seven days. First, the main national websites failed, from the official news site to the booking page of the national airline. Then, the Asian state’s connections with the rest of the world were interrupted. Emails could not be sent or received; there was no connection to cloud services. The blockade was complete.

The coincidence in time of the military maneuvers and the cyber assault caused many observers to view the incident as the response by some Western government to North Korea’s war games. Nothing could be further from the truth. The whole thing had been orchestrated by a single man from his home in Miami, someone known as P4x (read Pax). He did it at night, in shorts and flip-flops, and with frequent visits to the refrigerator for beer and snacks. He wrote what he considers to be simple programs on his laptop, rented several remote servers, and sat back to watch how his plans panned out. His motivations were not geopolitical, he didn’t care about the missiles. It was personal: he wanted to hit back at the North Koreans, who had tried to break into his computer a year earlier. “Something had to be done. I believe that if someone attacks you, you have to respond,” the American P4x tells EL PAÍS in perfect Spanish.

The hacker documented his cyberattack, recording videos and taking screenshots of the entire process to prove that he had done it alone. He shared the details of his North Korean incursion with Wired magazine, which confirmed his authorship and published the story in February 2022, shortly after the events. Now, after two years, P4x has made an unusual decision in the world of hackers: to come forward. The man who stopped the internet in an entire country is Alejandro Cáceres, he is 39 years old, and he owns his own cybersecurity company, Hyperion Gray. Born in the United States to Colombian parents, he has tattoos emerging from under the sleeves of his shirt: his right arm shows the nickname he used before the North Korean affair, _hyp3ri0n; on the left arm, there is a cryptographic hash that encloses a word. His commitment to the hacker community goes beyond his arms. When asked if he has participated in the cyber defense of Ukraine, a cause supported by thousands of cybersecurity experts around the world, he answers: “I don’t remember.”

Cáceres has challenged a totalitarian regime and then revealed his identity. He does not seem to fear for his life, although he takes precautions. “In fact… look,” he says during the video call with EL PAÍS from his home-office in Florida. He opens a drawer, takes out an automatic pistol and shows it to the camera. “I don’t like weapons, but talking to military and intelligence service officers, they told me that things could happen. So now on my table I have the keyboard, the mouse, the microphone and the Glock,” he says, laughing. His light eyes stand out on his somewhat pale and bearded face. Brown curls peek out from under his threadbare baseball cap. It is 11 in the morning in Miami and he looks like someone who has spent the night at the computer. He sips an energy drink throughout the interview, which was held a month and a half after he came out of the cyberspace closet.

“During this time no one has attacked me. Before I did what I did, I looked at the numbers. In the last 45 years, the North Korean regime has only murdered two people: one was Kim Jong-un’s brother and the other, an American who was in the country,” he says, alluding to Otto Warmbier, a young man who was imprisoned in North Korea and arrived in a vegetative state in the United States, where he died a few days later. Cáceres decided that the risk was acceptable. “Dennis Rodman hasn’t come to beat me up yet,” he laughs, in reference to the Chicago Bulls legend, who has shown off his friendship with Kim Jong-un.

Dennis Rodman hasn’t come to beat me up yet. But now on my table I have the keyboard, the mouse, the microphone and the Glock

He remembers that “a strange thing” once happened to him. He met a girl through a dating app who claimed to be a Canadian-Japanese neuroscientist. “When we met I saw that she was clearly Korean. I also verified that the person writing the messages was someone else, who was barely understandable. I started looking for information about her and couldn’t find anything. She told me that she had changed her name because she was related to a North Korean dictator named Kim. “That’s where I said goodbye.” That happened in March of this year, shortly before P4x revealed his identity.

Other than that, his life hasn’t changed much: he doesn’t go out a lot and avoids problematic, poorly lit neighborhoods. Since he came forward, he has started receiving about 200 messages a day. “Many people want to partner and work with me, others see me as a good hacker and ask me for help. I’m a little exhausted,” he confesses, although he is an active user of X, where he doesn’t bite his tongue and displays his sarcastic sense of humor.

Romance and disagreements with the Pentagon

One set of people that Cáceres has collaborated with a lot is U.S. authorities. For a decade and a half, through his cybersecurity company, he has worked with the Pentagon, DARPA (Defense Advanced Research Projects Agency) and the FBI, among others. And ever since he took down the internet in North Korea, he has also been approached by the National Security Agency (NSA). Everyone wanted to know how he did it. “Officially they can’t say shit about what they told me regarding my cyberattack, but they were happy. I know what I did is illegal, but I couldn’t imagine North Korea taking me to court.”

Cáceres has tried, but his relationship with the security agencies has not quite worked out. “My attack on North Korea was a response to their attempt to spy on me, but it was also a message to the United States,” he says. He still remembers the exact moment he realized that the North Koreans were inside his computer. On January 24, 2021, he received an alleged exploit (a script that exploits a vulnerability) sent to him by another hacker. The next day, the Google Threat Analysis Group warned him of a North Korean espionage campaign targeting cybersecurity experts. He opened the file in a safe environment and sure enough, it was malware targeting him. He reported it to the FBI, but after three telephone interviews, it didn’t go any further.

“It seemed very evident to me that they didn’t know what to do, they had no plan, they had nothing. A group of terrorists protected by a failed state had attacked U.S. citizens and they were not going to do anything? It didn’t seem right to me.” Cáceres accumulated resentment for almost a year until, one night, he decided to start studying the architecture of North Korea’s systems. “I found surprising things,” he explains. There were two large routers that centralized the connections of the entire country (although it has 26 million inhabitants, very few have access to the internet). “I Googled their features and saw that they weren’t even giant, but rather medium-sized.”

From that moment on, the plan began to take shape in his head. He rented all types of servers around the country in the cloud and designed a denial of service (DoS) attack, which consists of saturating the target system with so many actions or data requests that it ends up jamming. In this case, Cáceres, or rather P4x, bombarded the North Korean routers from the servers he had rented, sending many packets of information and making data transmission extremely slow. To do this, it exploited some vulnerabilities in the country’s digital infrastructures, which were very old and, therefore, had security gaps.

In the US we have very, very good people working on our cyber defense, but they are hogtied

His feat did not go unnoticed. Over the next year he had meetings with officials from the United States Cyber Command, the branch of the armed forces dedicated to this field. He also met with officers from the Marines, the Space Operations Command and intelligence (NSA). Cáceres shared with them the keys to his successful operation and told them that, in his opinion, similar operations could be carried out with small commandos of two to four hackers. That would give them agility, autonomy and the ability to react.

He tried, but failed. “To do anything you need authorization, which takes six months to get. And when you get it, what you wanted to do no longer works. That is the reality here in the U.S.: we have very, very good people working on our cyber defense, but they are hogtied. They can’t do anything, even though I know we have the resources to do a lot.”

Cáceres got fed up and decided to stop working with the government. He is working again on his own with his company, Hyperion Gray, although he has added a partner, George Perera, a veteran police officer specializing in cybercrime.

Cáceres’ disillusionment with the system is one of the reasons that led him to reveal his identity. He believes the U.S. should take a much more aggressive approach in the cyber arena. If there are groups like the North Korean Lazarus, capable of stealing hundreds of millions of dollars in cryptocurrencies in a single year, why aren’t they being attacked? “Sometimes I have been told that this cannot be done, that there are diplomatic relations to maintain. And I say: it’s North Korea, who gives a shit. Others say that if the door to retaliation in cyberspace is opened, it will no longer be closed. But, let’s not be fooled, that door was opened a long time ago.”

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition