Vanity, phishing, and the North Korea watcher
In the North Korea watcher world, where access is scarce and status is conferred by proximity to power or time on CNN, vanity is more than a character flaw—it’s a vulnerability. For analysts, journalists, and policy wonks who dedicate their careers to decoding the Hermit Kingdom, reputation is currency.
A scoop, a quote, or even an email thread with a high-profile name can elevate one’s self-esteem. But that hunger to be seen, respected, and—above all—consulted, is exactly what state-backed hackers are counting on.
Phishing is not just about technical intrusion. It’s about psychological manipulation. And for North Korea watchers, the bait isn’t money or access to classified data—it’s mostly about recognition. The hacking risk is all too real (I wrote previously on cybersecurity best practice for North Korea watchers).
Over the past few years, both South Korean and Western cybersecurity agencies have issued alerts about sophisticated phishing campaigns targeting experts on the DPRK. While many of these operations are attributed to North Korean state actors, they are not alone. Other governments—hostile, allied, or somewhere in between—have also shown interest in exploiting the tightly knit world of North Korea analysis. And while attribution grabs the headlines, the real story lies in the methods: the carefully crafted emails, the calculated flattery, and the subtle manipulation of academic and policy vanity.
“We would greatly value your expertise…”
That’s how it often begins. The phishing email doesn’t scream malware. It doesn’t always come from a suspicious Gmail account riddled with typos. It often looks polished and professional.
Sometimes it’s disguised as a think tank researcher seeking a quote for a report. Other times, it’s a journalist from an obscure but real-sounding European news outlet looking for expert commentary. Occasionally, it’s an academic conference organizer requesting a keynote or panel participation. The common thread? Each message is tailored to feed the recipient’s ego.
Here’s a sample drawn from a recent campaign flagged by security researchers:
“Dear Dr. [Name], We are hosting a closed-door roundtable with former ambassadors and policymakers on the future of the Korean Peninsula. Your work on North Korea’s strategic posture has been widely cited, and we believe your participation would greatly enrich the discussion. A draft agenda is attached. Kindly let us know your availability.”
The draft agenda, of course, contains a malicious document. Open it, and you’ve handed over the keys—not just to your inbox, but potentially to your entire network. Because what the hackers really want isn’t your opinion; it’s your contacts, your private correspondence, your unpublished thoughts.
“As a respected voice on Korean affairs…”
Another common trope is the survey or research pitch. A message arrives from a “PhD candidate” at Cambridge or an analyst at a Brussels-based NGO conducting a global study on nuclear diplomacy. You’re asked to participate in a short survey or review a confidential draft. But the real payload is hidden in the link.
These emails are persuasive because they validate the recipient’s self-image: not just as an expert, but as someone whose views are influential. In a field where even tenured academics chase media appearances and Substack subscriptions (Please Subscribe!!!!), the flattery hits its mark. Hackers understand this. They don’t need to breach firewalls—they just need to appeal to the target’s ego.
“We’re compiling a list of top North Korea experts…”
Perhaps the most effective trick is the promise of prestige. Invitations to contribute to elite policy forums, requests to join advisory boards, or offers to co-author pieces for prestigious journals have all been mimicked in phishing campaigns.
It works. Even seasoned analysts will click through. In a field where being noticed is half the battle, the offer of greater visibility is irresistible. Everyone wants to be seen as part of the club—especially when the club appears to be composed of former diplomats, CIA veterans, and prominent scholars.
And then there’s the pièce de résistance — patriotism. The most recent campaign targets North Korea watchers with the request to take part in online meetings with senior foreign ministry and/or defense officials from the researcher’s home country or embassy. Those who send the mail are aware that the recipient holds a degree of both vanity and patriotism. In intelligence, there is no easier target than the vain patriot (unless they also gamble, hold a grudge, and are in the closet).
The vain patriot is a particularly exploitable sub-type—someone whose ego is tightly bound to their perception of national service. They see themselves as guardians of the state, convinced that their insights are not only valuable but essential. What makes them ideal targets is not ideology or greed, but a deep-seated need to be seen as important. Intelligence officers know this, and they exploit it masterfully: offering praise, appealing to a sense of strategic duty, and framing participation as a quiet form of elite influence. The vain patriot can easily be told that they are part of something bigger—something discreet, sensitive, and indispensable.
In phishing campaigns, the same technique is repurposed with eerie ease. A well-crafted email that hints at privileged access, insider consultation, or contribution to high-level discussions can bypass even the most seasoned expert’s skepticism. Vanity, once mapped, is remarkably easy to trigger—no handler required.
And here we have the most recent campaign that near every North Korea watcher has experienced.
It starts with a believable email account. This could include (a) free email provider, such as Hotmail, Google, or Naver, as is way too common in South Korea government, think-tank, and university sectors (especially by administrative assistants and lower level employees); (b) compromised legitimate accounts, often from second-tier universities or think-tanks; or (c) email header forgery that makes the message appear to come from a legitimate address, again, often from second-tier universities or think-tanks that do not use SPF, DKIM, and DMARC protection.
The campaign is (sometimes erroneously) targeted specifically to the vanity and patriotism of individuals to reflect their nationality, field of research, area of expertise, and prior research engagements. It uses standard embassy title formatting, real names of individuals in the mentioned positions, and embassy email signature formatting.
“I hope this email finds you well.
This is [Enter real name found from LinkedIn], [Enter your field] Officer at the [Enter your country] Embassy Seoul. I am writing on behalf of {Enter real namer of Senior Official].
You come highly recommended by defence policy experts, which is why I’m reaching out to you.
We would be pleased to invite you to a secure Zoom meeting to engage in a detailed discussion on a range of critical security topics. Key topics will include the current security situation with the DPRK (including the impact of DPRK-Russia relations and DPRK military operations in Russia against Ukraine), Security in the East Asia Region (with focus on the Republic of Korea’s relationships with Japan, China and other major players), ROK and Cross-Strait Relations: The Geopolitical Implications of China-Taiwan Tensions [Or any other subjects in your field]."
We are in the process of arranging the meeting and would greatly appreciate it if you could share your availability. We will do our best to coordinate the schedule accordingly.
We truly appreciate your time and consideration amidst your busy schedule, and we look forward to hearing from you.”
The recent campaign unfolds at a slower rate. The target is dragged along as the sender supposedly arranges the meeting. There are no documents or files to download that could raise suspicion. The target is given the topics to prepare and a final deadline. Then, when they’re ready to present…Phwam! They’re asked to log in to a “secure” embassy video connection that uploads malware and takes silent—very silent—control of their computer. There is no attempt to change or alter any files, just to watch, listen, and gather intelligence—and it will likely continue until you get a new computer!
What makes this all the more troubling is that the phishing targets aren’t just vulnerable as individuals—they are nodes in a larger knowledge network. Many are connected to government agencies, policy institutions, and academic centers. Compromising one target can yield access to years of sensitive correspondence, including drafts of policy papers, internal debates, and classified-adjacent conversations.
And the damage isn’t merely technical. It’s epistemic. Once trust is eroded—once insiders begin questioning the authenticity of requests, the safety of their inboxes, the reliability of their sources—the entire process of knowledge production becomes suspect. When hackers exploit vanity, they don’t just steal information. They corrupt the very process by which that information is created, shared, and debated.
North Korea watchers are especially susceptible because the field encourages performative expertise. With few hard facts to work with, the space rewards speculation, storytelling, and—above all—visibility.
Social media has only intensified this. Analysts now post hot takes on satellite images, speculate on leadership dynamics, and promote their media appearances. The line between research and reputation management is increasingly blurred.
None of this is inherently bad. But when the desire to be seen overrides the instinct to be cautious, the whole ecosystem becomes ripe for exploitation. Hackers don’t need to be smarter. They just need to understand the psychology of ambition.
Cyber security campaigns are important (check out mine here!), but they often miss the point. Telling experts to use VPNs, avoid opening attachments, and check URLs is necessary—but insufficient. The real fix is cultural—and security culture is a significant challenge in South Korea and amongst the wider North Korea watcher community.
Not every invitation signals prestige, and not every flattery-laced email is a career opportunity. The hunger to be seen—to be quoted, cited, or consulted—makes even seasoned professionals vulnerable. Cultivating a culture that privileges substance over performance is not just good scholarship; it’s also good for cybersecurity. Will it happen? Probably not.
For North Korea watchers, the greatest vulnerability is not ignorance. It’s the desperate need to be seen, to be heard, to be quoted, and to edge their way into the political arena from their seat on the sidelines. And North Korean hackers know it.
