South Korea Warns North Korea Uses Autonomous Hacking AI

Per UPI, the National Cyber Security Center, operated under the National Intelligence Service, issued a warning in its 2026 National Information Security White Paper that North Korean-linked hacking groups are moving toward the use of agentic AI, a class of autonomous systems that can set goals, analyze data and manipulate external systems without constant human direction. The white paper, reported by UPI, states agentic AI can generate large volumes of phishing and social engineering content, produce hacking tools such as ransomware, and execute large-scale operations with fewer people, less time and lower cost. The agency warned: "Starting this year, agentic AI will autonomously carry out the full attack life cycle and generate tens of thousands of malicious actions per second. Defense systems also must immediately shift to autonomous security operations that minimize human intervention and identify and isolate threats at machine speed."

UPI cites private-sector reporting that Kaspersky and Google Threat Intelligence Group identified indicators of LLM-assisted work by the North Korea-linked group Kimsuky, and that APT45 used large-scale prompting to search for vulnerabilities. UPI also reports a high-profile example where Anthropic's model Mythos produced Windows attack code in 31 minutes. UPI reports North Korea stole 2.2 trillion won (approximately $1.46 billion) in virtual assets last year. Analysts, per UPI, increasingly believe North Korea began designing and testing AI-automated attacks last year and has now broadly adopted the technology.

Choi Byung-ho, a research professor at Korea University's Human-Inspired AI Research Institute, said per UPI: "The only current method is to use AI to find security problems, patch them as quickly as possible and prevent attacks. A governance system capable of responding to hacking within 24 hours is needed, but it is difficult because of issues such as delegated authority."

Per UPI's May 19 reporting, South Korea is pursuing amendments that would widen the NIS's remit to include "economic security" and give the agency authority to investigate suspected foreign-backed cyberattacks affecting private companies. UPI cites government data showing private-sector reports of personal data leaks rose to 319 cases last year, up 57% from 203, and that corporate cyber incidents increased from 640 in 2021 to 1,887 in 2024. UPI also cites an SK Shieldus estimate that small and midsize firms took an average of 106 days to detect intrusions, with some cases undiscovered for up to 700 days.

Public reporting frames agentic AI as a force multiplier for reconnaissance, social engineering and rapid exploit development. Examples like the Mythos output demonstrate that current models can generate functional exploit code and offensive tooling with minimal human steps. Organizations face a different operational profile when tooling automates large-scale probing and phishing, increasing the volume and speed of attack attempts even where adversary personnel remain limited.

Indicators include a rise in automated phishing campaigns and machine-generated exploit artifacts, more public forensic links between LLM-generated code and operational malware, and the progress of legislative changes that would broaden investigation authority at the NIS.