Nick Roy
@superducktoes.bsky.social
📤 34
📥 21
📝 13
nkinternet.wordpress.com
Gunnersbury Avenue: Sniffing the DPRK Embassy’s WiFi The North Korean embassy has
been in the news lately
, so it felt like a good time to finally write this up. A couple of weeks ago I was in London and stopped by my favorite embassy. I usually stop by whenever I'm in town but this time was a…
loading . . .
Gunnersbury Avenue: Sniffing the DPRK Embassy’s WiFi
The North Korean embassy has been in the news lately, so it felt like a good time to finally write this up. A couple of weeks ago I was in London and stopped by my favorite embassy. I usually stop by whenever I'm in town but this time was a little different, I packed my Flipper Zero with the Wifi board for sniffing wireless traffic in the neighborhood.
https://nkinternet.com/2026/06/23/gunnersbury-avenue-sniffing-the-dprk-embassys-wifi/
15 days ago
0
0
0
DPRK Captive Portal Infrastructure Found in Testing Taking a break from fake DPRK companies for a while, there was some interesting activity that I recently noticed on 175.45.176.97. Between May 14th and May 17th, 175.45.176.97 a request to the root of the server returned a 302 and was redirecting…
loading . . .
DPRK Captive Portal Infrastructure Found in Testing
Taking a break from fake DPRK companies for a while, there was some interesting activity that I recently noticed on 175.45.176.97. Between May 14th and May 17th, 175.45.176.97 a request to the root of the server returned a 302 and was redirecting to recoshield.com which appears to be a South Korean company that manufacturers paint and windshield protectors. Headers from the server showed the following:
http://nkinternet.com/2026/05/26/dprk-captive-portal-infrastructure-found-in-testing/
about 1 month ago
0
0
0
Part 2 of tracking DPRK recruiting scams
loading . . .
More Fake Devs, More Fake Companies: vexxloso and Nixsora.com
If you haven't read part 1, you can read it here: In order to keep the first part of this short the plan was to break it into a series of smaller posts. However, within 7 days after publishing the last post most of the accounts were taken down. So what's left and what accounts did they pivot to?
http://nkinternet.com/2026/04/26/more-fake-devs-more-fake-companies-vexxloso-and-nixsora-com/
2 months ago
0
0
0
Tracking brand new DPRK front companies and personas
loading . . .
npm Malware, Fake Devs, and Deepfake Videos: These Are A Few of My Favorite DPRKÂ Things
What started as what I thought was going to be a quick look into a suspicious GitHub organization turned into a much deeper rabbit hole with an active npm backdoor, more than a dozen fake developer personas, and recruitment posts looking for overseas facilitators. Individually there's a lot of interesting pieces here but together they map closely to documented DPRK tradecraft.
http://nkinternet.com/2026/04/07/npm-malware-fake-devs-and-deepfake-videos-these-are-a-few-of-my-favorite-dprk-things/
3 months ago
0
0
0
My favorite DPRK IT workers are the ones just straight up trying to export surveillance software
loading . . .
Made for Export: North Korea’s Software Catalog
An email discovered last year that was sent from North Korea’s internet infrastructure offers a rare look at how DPRK software developers market their work abroad. While most recent reporting has focused on North Korean IT workers fraudulently obtaining jobs at Western companies, the documents attached to this message appear to represent something different: a catalog of domestically developed software being pitched to commercial partners overseas.
http://nkinternet.com/2026/03/10/made-for-export-north-koreas-software-catalog/
4 months ago
0
1
0
Hunting For North Korean Fiber Optic Cables Before we go any further, one thing that I want to make clear is that the word assume is going to be doing some heavy lifting throughout this post. This was a rabbit hole that I recently went down and I probably have more questions than answers, but I…
loading . . .
Hunting For North Korean Fiber Optic Cables
Before we go any further, one thing that I want to make clear is that the word assume is going to be doing some heavy lifting throughout this post. This was a rabbit hole that I recently went down and I probably have more questions than answers, but I still wanted to document what I had found so far. If you have additional information or findings you want to share, as always feel free to reach out: …
http://nkinternet.com/2025/12/08/hunting-for-north-korean-fiber-optic-cables/
7 months ago
0
4
2
part 2 of digging into north koreas vpn
loading . . .
Hangro: Investigating North Korean VPN Infrastructure Part 2
If you haven’t seen part 1, it provides an overview of the service as well as the domains and IPs supporting the infrastructure. Continuing my analysis of the Hangro VPN IPs and service I started querying the IPs directly as well as started taking some first steps towards reversing an older sample of the Hangro VPN client. Using OpenSSL as well as a few other tools provided some additional details on how the VPN functions.
https://nkinternet.wordpress.com/2025/07/16/hangro-investigating-north-korean-vpn-infrastructure-part-2/
12 months ago
1
0
0
North Korea Offline With Invalid Routes for AS131279 On March 18, 2025, at around 9:38 AM UTC, connectivity to AS131279 dropped. Shortly after, at 9:50 AM UTC, a change in the Start of Authority (SOA) record and an update to the Route Origin Authorization (ROA) were detected. The update introduced…
loading . . .
North Korea Offline With Invalid Routes for AS131279
On March 18, 2025, at around 9:38 AM UTC, connectivity to AS131279 dropped. Shortly after, at 9:50 AM UTC, a change in the Start of Authority (SOA) record and an update to the Route Origin Authorization (ROA) were detected. The update introduced a new ROA for 175.45.176.0/22, authorizing AS131279 as the origin but setting a maximum prefix length of /22. Previously, AS131279 had been announcing four /24s (175.45.176.0/24, 175.45.177.0/24, etc.), which had not been marked as invalid.
https://nkinternet.wordpress.com/2025/03/18/north-korea-offline-with-invalid-routes-for-as131279/
over 1 year ago
0
0
0
North Korea whois records hijacked?
loading . . .
North Korea whois records hijacked?
https://nkinternet.wordpress.com/2025/02/23/north-korea-whois-records-hijacked/
over 1 year ago
0
0
0
Someone having a bad day in North Korea. Whois records just changed
over 1 year ago
0
0
0
Hangro: Investigating North Korean VPN Infrastructure Part 1 In a post from a now-deleted user on the webdev subreddit, someone asked about how to acquire a .kp TLD. While there were a few decent responses, the original poster shared an update: they successfully obtained a domain but noted that a…
loading . . .
Hangro: Investigating North Korean VPN Infrastructure Part 1
In a post from a now-deleted user on the webdev subreddit, someone asked about how to acquire a .kp TLD. While there were a few decent responses, the original poster shared an update: they successfully obtained a domain but noted that a VPN is required to access the website. This raised intriguing questions about VPN usage in North Korea. While several VPN providers claim to operate from North Korea, most merely offer false IP geolocation.
https://nkinternet.wordpress.com/2025/01/06/hangro-north-korean-vpn-infrastructure/
over 1 year ago
0
2
0
you reached the end!!
feeds!
log in