Unmasking the Vigilante Hacker Who Took Down North Korea’s Internet

Andy Greenberg

A little over two years have passed since the online vigilante who would call himself P4x fired the first shot in his own one-man cyberwar. Working alone in his coastal Florida home in late January of 2022, wearing slippers and pajama pants and periodically munching on Takis corn snacks, he spun up a set of custom-built programs on his laptop and a collection of cloud-based servers that intermittently tore offline every publicly visible website in North Korea and would ultimately keep them down for more than a week.

P4x’s real identity, revealed here for the first time, is Alejandro Caceres, a 38-year-old Colombian-American cybersecurity entrepreneur with hacker tattoos on both arms, unruly dark brown hair, a very high tolerance for risk, and a very personal grudge. Like many other US hackers and security researchers, Caceres had been personally targeted by North Korean spies who aimed to steal his intrusion tools. He had detailed that targeting to the FBI but received no real government support. So he decided to take matters into his own hands and to send a message to the regime of Kim Jong Un: Messing with American hackers would have consequences. “It felt like the right thing to do here,” Caceres told WIRED at the time. “If they don’t see we have teeth, it’s just going to keep coming.”

By Andy Greenberg

As he sought an outlet to broadcast that message to the Kim regime, Caceres told his story to WIRED while he carried out his attack, providing screen-capture videos and other evidence that he was, in fact, single-handedly disrupting the internet of an entire country in real time. But it was only just before going public that he decided to invent the P4x pseudonym for himself. The handle, pronounced “pax,” was a cheeky allusion to his intention of forcing a kind of peace with North Korea through the threat of his own punitive measures. He hoped that by hiding behind that name, he might evade not just North Korean retaliation but also criminal hacking charges from his own government.

Instead of prosecuting him, however, Caceres was surprised to find, in the wake of his North Korean cyberattacks, the US government was more interested in recruiting him. Caceres would spend much of the next year on a strange journey into the secretive world of America’s state-sponsored hacking agencies. Adopted informally by a Pentagon contractor, he was invited to present his techniques to high-level US defense and intelligence officials. He carried out a long-term hacking project designed to impress his new audience, hitting real foreign targets. And he pitched Department of Defense officials on a mode of US government-sanctioned cyberattacks that, like his solo North Korean takedown, would be far leaner, faster, and arguably more effective than Washington’s slow and risk-averse model of cyberwar.

Caceres worried after his attack on North Korea that the US government might prosecute him. Instead, he was surprised to find that it was more interested in recruiting him.

Written by Dell Cameron

Andy Greenberg

Julian Chokkattu

Reece Rogers

Caceres’ pitch never got the green light. Now, partly due to his frustration with that experience, he’s finally dropping his pseudonym to send a new message, this one aimed at his fellow Americans: that the US government needs to wield its hacking powers far more aggressively. “Both the NSA and the DOD have a ton of talented hackers, yet when it comes to actually performing disruptive cyber operations, for some reason we as a country are just frozen and scared,” Caceres says. “And that needs to change.”

Ransomware actors, largely based in Russia, extracted over one billion dollars in extortion fees from companies in 2023 while wreaking havoc on hospitals and government agencies. On the other hand, hackers affiliated with North Korea stole another $1 billion in cryptocurrency in the same year, funneling the profits towards the Kim regime. All these hacking activities against the West have been conducted without any notable retaliation or punishment. “We just observe as they hack us,” says Caceres.

Consequently, Caceres is of the opinion that it is high time for the US to try the P4x approach. He believes that a potential solution to address foreign cybersecurity threats is for American government hackers to demonstrate and employ their capabilities more extensively.

Partnering with an anonymous Pentagon contractor, Caceres has spent the better part of the past two years advocating for a bolder approach to combating state-sponsored cyberattacks within the US government. They describe it as a special forces model where individual hackers or small teams execute quick and specific digital disruptions. This is unlike the US’s traditionally slower and bureaucratic method of handling cyber warfare.

“You can make a difference here, it can be asymmetrical, and it can happen on a much faster timescale,” summarises the founder of the hacking startup that collaborated with Caceres to present this proposition to the Pentagon.

He cites a military principle that each member of a special forces unit should have the effect of 16 conventional soldiers. “With what we and P4x were doing, we wanted to increase that ratio a hundredfold,” he says. “And P4x would teach other operators how to do it.”

In his public life as a security researcher, Caceres is known as a talented and sometimes brash figure in the hacker community: The second-generation Colombian-American, who used the hacker handle _hyp3ri0n long before he adopted the P4x pseudonym, is the founder of the cybersecurity startup Hyperion Gray and a frequent speaker at events like the Defcon hacker conference, where he has shared methods for lone hackers to amplify their reach and effects through cloud services and high-performance computing clusters. He’s also the creator of a somewhat controversial vulnerability scanning tool called PunkSpider, which he announced at Defcon in 2021 that he intended to use to scan every website in the world and publicly reveal all of their hackable vulnerabilities.

From the beginning of his hacker career, Caceres has never been one to shy away from the most aggressive applications of the digital dark arts. His first job out of college, while he pursued a graduate degree in international science and technology policy, was working for a subsidiary of the notorious military contractor formerly known as Blackwater, doing open-source intelligence investigations for corporate security and executive protection—what he describes as a “Google sweatshop.” Within a few years, however, Caceres and his startup Hyperion Gray were getting grants from the Pentagon’s Defense Advanced Research Projects Agency, using his growing prowess in cloud and high-performance computing to scan the dark web as part of Darpa’s Memex program devoted to advancing search technologies for national security applications.

Dell Cameron

Andy Greenberg

Julian Chokkattu

Reece Rogers

In that dark-web scouring, Caceres says, he regularly came upon child sexual abuse materials forums and even violent extremist content. He admits that he didn’t hesitate to hack some of those sites, pulling data off their backend servers and anonymously handing it to contacts at the Department of Homeland Security. “That probably wasn’t 100 percent legal,” he says, “but I didn’t necessarily give a fuck.”

Even his startup’s name, Hyperion Gray, mirrored Caceres’ journey into the dark and uncertain domain he navigated: It combined his _hyp3ri0n hacker handle, a Titan’s name from Greek mythology, with a color that dwells in between the concepts of whitehat and blackhat hacking.

In 2021, when Caceres became a target for North Korean hackers, he was not one to take this lightly. In January of that year, an unknown fellow hacker reached out to him over the internet, via a mutual acquaintance, offering an intriguing software exploitation program for Caceres to download. After a day or two, Caceres came across a blog post from Google’s Threat Analysis Group informing that North Korean hackers were targeting US security researchers seemingly in an attempt to steal their hacking resources and intelligence. As he inspected the downloaded file, he noticed it contained a backdoor, but since he had isolated the program on his device, he was not entirely compromised.

A snapshot of Caceres was taken before he decided to disclose his identity as P4x.

Disgusted by the hacking attempt, Caceres reported it to the FBI. He claims the bureau conducted a basic fact-checking interview with no significant follow-up. Hence, after harboring his resentment for a year, he determined to handle things himself. In January 2022, he started executing custom hacking scripts meant to target specific North Korean routers that managed the internet traffic into and out of the nation, always verifying their online status, and if they were, he boosted his malicious data requests to crash them. He equated this task to WIRED as being about similar to a “small-to-medium” scale penetration test that Hyperion Gray would perform for its clients.

Dell Cameron

Andy Greenberg

Julian Chokkattu

Reece Rogers

It wasn’t long until observers of North Korea realized that their entire internet system, from the government gateway to their state-run airline reservation website, had been taken offline for a significant amount of time by what appeared to be a cyber-attack. Allegations were made in the media that this could be the result of other countries’ cyber units retaliating to their recent missile tests. They proposed the possibility that it was a signal from either the US or perhaps China for North Korea to cease menacing its neighbors. However, the reality was that it was the actions of one unhappy man in Florida, still wearing his nightwear.

Although the US government may not have been involved in the artificial internet outage in North Korea, they did exhibit a quiet interest. Post the publication of this story on WIRED about P4x’s lone hacking accomplishment, Caceres started getting messages from his hacker colleagues who had ties with the Pentagon and intelligence agencies. They were sending him messages not as P4x but to Caceres’ real-name accounts. He was told that multiple agencies were fascinated by his efforts and were eager to have a conversation with him.

People in the loop found it alarmingly easy to identify Caceres: He had inadvertently dropped hints about his focusing on North Korea on his Twitter account before he decided to take the aid of the P4x pseudonym. Post the public declarations by P4x about the cyber attack, an associate hacker even uploaded screenshots of Caceres’ now-removed tweets without making it clear what they exactly revealed.

Caceres’ work was discussed with a highly-ranked military official by a friend, who then told Caceres that the official wanted him to network with a person who was a long-time military intelligence contractor and had performed contract work for the Joint Special Operations Command, in charge of groups like the Army’s Delta Force and the Navy’s Seal Team Six. WIRED agreed to refer to him as Angus, even though that is not his actual name.

A few weeks after his North Korea attack, Caceres met Angus in the offices of Angus’ Pentagon-funded hacker startup. Angus began by warning Caceres that he was potentially in danger of reprisal from the North Korean state and that he should be wary of the possibility of a physical attack that might be made to look like a mugging, or of someone tampering with his prescription medications. “Before that, I was nervous,” Caceres says. “After that, I was shit-scared.” Angus suggested the hacker ought to arm himself. (Caceres, not one for half measures, later bought three guns and multiple bulletproof vests.)

Angus quizzed Caceres about his past hacking activities, his allegiance to other governments—he said he didn’t have any—and his politics. He specifically asked Caceres if he was a Marxist. Caceres confirmed he was not. With that brief vetting out of the way, they went out for drinks and talked late into that night about what a P4x-style US special forces hacker team might look like and what sort of work they might do together to demonstrate that model to the Department of Defense.

Soon after, Angus convened a meeting of military and intelligence staff at his startup’s office, where they listened to a presentation from Caceres. Standing before an audience of officials from Cyber Command, Special Operations Command, the NSA, and the Marines’ Cyberspace Command known as Marforcyber, he detailed his North Korean hacking project as a case study and laid out principles for how it could be replicated: Aim for “easy and impactful.” Minimize the number of “cooks in the kitchen.” Iterate rapidly. He laid out a timeline for operations that suggested assembling teams of two to four hackers, with support from researchers and analysts, and taking just a few days to plan an operation.

Author: Dell Cameron

Andy Greenberg

Julian Chokkattu

Reece Rogers

“For the US government, any execution on target is typically a six-month process. P4x did it in two weeks,” says Angus. “The whole point was that he can show them how to do it, and if they wanted to they could fund it and see it happen.”

The audience reacted favorably, albeit skeptically, to the presentation, Angus recalls. “The realization of his achievement and the means he used to achieve it left most people deflated, the only deterrent being bureaucracy,” he recounts. According to Caceres, one of the spectators made light of the situation by suggesting that Caceres had missed a step – presenting a 100-slide PowerPoint briefing to someone who has no comprehension of his points and then being denied permission.

Following his introductory speech, Caceres undertook another at the MIT Lincoln Laboratory, a Pentagon-sponsored research and development center, and was then requested to deliver a presentation closer to DC, this time to a larger assembly of army and intelligence personnel. This subsequent speaking commitment was postponed due to bureaucratic delays and would eventually fail to materialize, partly because Caceres had shifted his focus to a more practical illustration.

In reality, while Angus was busy acquiring funds for their endeavor, Caceres set his sights on a different foreign adversary to demonstrate the immense cyber disruption that a small squad could cause. Over the following year, along with a fellow hacker known as tu3sday, he embarked on an extensive breach operation, the specifics of which neither party wished to divulge.

Caceres and tu3sday spent considerable amounts of time executing their hacking endeavours at Angus’ start-up offices, visiting multiple times over the following year. However, Caceres clarifies that their hacking activities were never formally endorsed or engaged by the company, let alone by the Pentagon. “The message I got was that it was a ‘don’t get caught, we’ll disavow all knowledge’ sort of thing,” Caceres reveals.

Meanwhile, Angus found that he was running into roadblocks in his attempts to get more official support for their experiment. “The initial response was, ‘We should be doing that,’” he says. But as he “talked it up a very long chain, all the way to very senior people to see if they were amenable to it, most of them were not.”

Angus says he’s still not sure why their project didn’t gain traction. He believes it was only partly a considered decision by the Pentagon not to engage in the more aggressive and freewheeling hacking operations that they’d proposed. He thinks the resistance can be explained at least as much by the Department of Defense’s sclerotic management and the difficulty of convincing it to try anything new that involves risk. “There were forces that were nebulous even to me, and people wanted different things, and there was a lot of risk-aversion,” says Angus. “Bureaucracy was 100 percent a factor. They were trying to dilute liability.”

After nearly a year of Angus’ efforts to find funding for the project and failing, Caceres says he gave up and ended his visits to the startup. “We had something really powerful to share here, and something they really need,” he says of the US military. “And nothing really came of it.”

Dell Cameron

Andy Greenberg

Julian Chokkattu

Reece Rogers

WIRED reached out to the Department of Defense, Cyber Command, and the NSA, but none responded to our requests for comment.

Despite facing numerous obstacles, Caceres continues to advocate for his concept. Now openly speaking to WIRED, he revives the vision of US “special forces” hackers. He envisions compact units that single-handedly dismantle ransomware groups by constant attacks on their servers and personal computers or infiltrate the wallets of hackers linked to North Korea to reclaim the millions in cryptocurrency regularly stolen from Americans. He further suggests that US cyber troops could, similar to P4x, deliberately disrupt North Korea’s internet in response to every significant burglary till the state-backed thieves are compelled to desist. “Say, for every hundred million dollars they steal, we could cut off their internet for a year,” proposes Caceres. “We need to figure out what form of interruption would deter them.”

Caceres extends his argument, proposing that such a deterrent response could be employed in retaliation to the physical world wrongdoings of Russia or North Korea, such as war crimes or violations of human rights. Most radically, he contends that U.S. cyber targeting should not be restricted to military, government, or criminal entities, but civilian infrastructure should also be a viable target. He perceives the effects of these attacks not as “cyberwar” but just another kind of trade embargo or sanctions. “In the same way as we’re currently barring specific goods and businesses from Russia,” Caceres states, “we could be denying access to the internet.”

Caceres has inked his prior hacker aliases on his right arm, while his left bears a cryptographic hash—a lengthy sequence of numbers and letters that encapsulate a word. He encourages WIRED readers to decipher it.

Nevertheless, those advocating a less aggressive approach to cyber policy cite valid reasons for the Pentagon’s potential reluctance to adopt the P4x model of state-endorsed hacking. Supposing US Cyber Command endorsed Caceres’ idea of assaulting civilian targets, it could be accused of war crimes, similarly to the allegations against Russia’s cyber attacks on Ukraine, suggests Jacquelyn Schneider, a cyber conflict researcher at Stanford’s Hoover Institution. She adds that launching indiscriminate offensives on civilians could be deemed as morally questionable and could incite reciprocal or even escalated actions from other nations.

Dell Cameron

Andy Greenberg

Julian Chokkattu

Reece Rogers

“That’s not nice, and it’s not a good norm,” says Schneider. She says that much of the US government’s slow approach to cyberattacks stems from its care to ensure it avoids unintentionally hitting civilians as well as breaking international law or triggering dangerous blowback.

Still, Schneider concedes that Caceres and Angus have a point: The US could be using its cyber forces more, and some of the explanations for why it doesn’t amount to bureaucracy. “There are good reasons, and then there are bad reasons,” says Schneider. “Like, we have complicated organizational politics, we don’t know how to do things differently, we’re bad at using this type of talent, we’ve been doing it this way for 50 years, and it worked well for dropping bombs.”

America’s offensive hacking has, by all appearances, gotten less aggressive and less nimble over the past half decade, Schneider points out. Starting in 2018, for instance, General Paul Nakasone, then the head of Cyber Command, advocated a “defend forward” strategy aimed at taking cyber conflict to the enemy’s network rather than waiting for it to occur on America’s turf. In those years, Cyber Command launched disruptive hacking operations. Since then, however, Cyber Command and other US military hackers appear to have gone relatively quiet, often leaving the response to foreign hackers to law enforcement agencies like the FBI, which face far more legal constraints.

Caceres isn’t entirely wrong to criticize that more conservative stance, says Jason Healey, who until February served as a senior cybersecurity strategist at the US Cybersecurity and Infrastructure Security Agency. He responds to Caceres’ cyberhawk arguments by citing the Subversive Trilemma, an idea laid out in a 2021 paper by the researcher Lennart Maschmeyer: Hacking operations have to choose among intensity, speed, and control. Even in earlier, more aggressive years, US Cyber Command has tended to turn up the dial for control, Healey says, prioritizing it over those other variables. But he notes there may in fact be certain targets—such as ransomware gangs or hackers working for Russia’s no-holds-barred GRU military intelligence agency—who might warrant resetting those dials. “For those targets,” says Healey, “you really can release the hounds.”

As for Caceres himself, he says he’s not opposed to American hacking agencies taking a conservative approach to limiting their damage or protecting civilians—as long as they take action. “There’s being conservative,” he says, “and then there’s doing fuck all.”

On the argument that more aggressive cyberattacks would lead to escalation and counterattacks from foreign hackers, Caceres points to the attacks those foreign hackers are already carrying out. The ransomware group AlphV’s catastrophic attack on Change Healthcare in February, for instance, crippled medical claim platforms for hundreds of providers and hospitals, effects about as disruptive for civilians as any cyberattack can be. “That escalation is already happening,” Caceres says. “We’re not doing anything, and they’re still escalating.”

Caceres says he hasn’t entirely given up on convincing someone in the US government to adopt his more gloves-off approach. Ditching the P4x handle and revealing his real name is, in some sense, his last-ditch attempt to get the US government’s attention and restart the conversation.

But he also says he won’t be waiting for the Pentagon’s approval before he continues that approach on his own. “If I keep going with this alone, or with just a few people that I trust, I can move a lot faster,” he says. “I can fuck shit up for the people who deserve it, and I don’t have to report to anyone.”

The P4x handle may be dead, in other words. But the P4x doctrine of cyberwarfare lives on.

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

How Network Connectivity Issues Drive IT Service Outages

Next Article

Hollow Knight Silksong Resurfaces: A Look into the Status of Other 'Missing' Games

Related Posts