In a dim hotel room in Dalian, China, a programmer named Park sits in a deep trance, working on a simple project: “How to Create a Monster.” For five days, he’s been scouring the internet for clues, searching hacker forums and the dark web for the missing piece that would make his monster work. Recently, a trove of incredibly advanced cyber weapons was stolen from the NSA and dumped into the wild, but they’re useless unless you find a way to make them work with your code.
Then Park discovers something: EternalBlue. Somebody has reverse engineered EternalBlue, one of the NSA’s top tools. Thrilled, he gets to work. Several hours later, the monster is almost ready. Park is exhausted but satisfied. With just a few tweaks, the superiors will have precisely what they requested. He turns off the computer and finds rest in the room’s corner.
The next morning, Park turns the computer back on, determined to give the monster the finishing touches. Except the monster has vanished. Frantically, he searches file by file. Nothing is there. The machine’s been wiped clean. A message comes through from his lead, Konbun, in Korean, congratulating him for the hard work. They didn’t wait. An order came. They released the monster unfinished.
Key Takeaway:Â WannaCry, one of the deadliest malware specimens in history, was released on May 12, 2017, using NSA exploits stolen by North Korea, paralyzing 200,000 computers across 150 countries in just two hours.
North Korea’s Cyber Evolution: From Counterfeits to Cyber Weapons
After World War II split the Korean Peninsula and the Korean War left it in ruins, North Korea found itself isolated when the USSR collapsed and China opened to the world. Famine and hardships developed quickly, so North Korea had to create its own system to survive—crime. It started with counterfeits, everything from Viagra to birth control and even forged US currency.
But as the world became digital, Pyongyang saw the opportunity to take its criminal activities to new heights. Their testing ground was close to home: South Korea. Between 2009 and 2013, North Korea terrorized its neighbor with cyberattacks. At first, they were denial of service attacks, overwhelming websites with requests to shut them down. But soon, the attacks became more complex.
In March 2013, the North Korean military unleashed a coordinated day of digital strikes against Seoul using a type of malware called dropper trojan, specifically designed to target South Korean systems. Within hours, 32,000 machines were infected, including two major banks and three of the largest TV stations. Offices, ATMs, and TVs across Seoul went dark. This was clearly not an isolated IT outage—it was Dark Seoul, and with it came a revelation. North Korean hackers were no rookies. They were becoming sophisticated, precise, and deadly.
The Sony Hack: Hollywood Under Attack
A year later, in 2014, Sony Pictures was preparing to release a comedy that mocked North Korea’s leader, Kim Jong Un. Pyongyang heard about this plan and did not like it at all. If they could not yet launch a missile across the Pacific, at least they could strike America’s propaganda machine with their growing cyber army.
Through a carefully planned spear phishing campaign, North Korean hackers breached Sony. They stole information about studio staff, unreleased movies, and even private emails between celebrities. Then they dumped it onto the public domain, sparking chaos. A country with only 1,024 IP addresses and limited broadband had just hacked Hollywood.
Cybercrime had proven itself a powerful weapon for grabbing headlines and disrupting global discourse. But could it also bring profit? Crime had helped North Korea through famine, so perhaps cybercrime could follow its legacy. It was time for pragmatic hacking.
The Bangladesh Heist: Cybercrime for Profit
By 2015, the banking sector came under attack. Vietnam’s Tien Phong Bank, several Polish banks, and various financial institutions in Mexico and Uruguay all reported North Korean intrusions. But these incidents were just rehearsals for something bigger—the first major financially motivated cybercrime from North Korea: the Bangladesh Heist.
This cyberheist shook the world for its magnitude. After lurking inside the bank system for nearly a year, the hackers attempted to steal $1 billion. They sent phishing emails, compromised the bank’s SWIFT mechanism (how financial institutions send and receive money transfer requests), and authorized about three dozen requests to the Federal Reserve Bank of New York.
Fortunately, the New York bank noticed the strange requests and stopped the attack, but the attackers still managed to steal $100 million. The message here was clear: North Korea’s cyber operatives were disciplined, persistent, and dangerously effective.
The Shadow Brokers: NSA Exploits in the Wild
In April 2017, Kim and his cyber army were entangled in complicated geopolitical games. However, something else was beginning to stir public discourse. A new player had stepped onto the stage, one that would help fuel the birth of many monsters: The Shadow Brokers.
This was a mysterious group of hackers who started posting cryptic messages on social media between late 2016 and early 2017. The rants were incoherent with purposefully bad English and filled with strange geopolitical commentary. They looked like a band of sketchy script kiddies, but this was nothing but obfuscation. Shadow Brokers’ posts had links, and those links contained entire caches of malware, exploits stolen straight from the National Security Agency of the United States.
Among them was EternalBlue, a tool that exploited an obscure vulnerability and allowed the takeover of any Windows machine. The agency had known about that vulnerability since 2012. Still, instead of bringing it up with Microsoft to ensure the safety of millions of users, it had chosen to remain silent and develop a tool that took advantage of this situation.
The Perfect Storm: WannaCry Unleashed
By late April, the exploits were already dissected by security researchers. One of the companies joining the conversation was RiskSense, a cybersecurity firm that published its own take on the exploits. But RiskSense stands out for one thing—it became the unexpected catalyst in the chain of events that triggered WannaCry.
Only three days before the attack, a senior staff member posted in RiskSense’s GitHub. This entry was not just another write-up of EternalBlue. He had reverse engineered its code, disassembling the complex tool to understand how the exploit worked. That 9th of May, or perhaps a day or two later, North Korean threat actors stumbled upon the post. It was exactly what they needed.
With this knowledge, they could learn how to use EternalBlue and combine it with another exploit, DoublePulsar, to create the ultimate cyber weapon: a ransomware cryptoworm that would spread automatically, faster than anything they had ever created.
The Attack: Global Chaos in Two Hours
On May 12th, the malware was unleashed, and in less than a working day, it spread across the world, paralyzing more than three-fourths of it. WannaCry is regarded as one of the deadliest ransomware outbreaks in cybersecurity history, but the irony is that the malware itself is not particularly advanced. Its true power came from two things: how it infected and how it spread. Both characteristics came courtesy of the United States—the deadly combination of the NSA’s exploits, EternalBlue and DoublePulsar.
EternalBlue enables remote code execution on unpatched Windows machines using the SMBv1 protocol, a system that Windows computers use to communicate and share files. DoublePulsar is a backdoor that, when installed, keeps access to the target system like a tunnel connecting the attacker and the victim. It doesn’t cause any damage and is designed to be so low profile that it’s pretty much undetectable.
Once inside, WannaCry deploys its payloads: two simple encryption algorithms that crawl through the system and turn everything they see into gibberish with the .wncry extension. Before finishing the process, the malware deletes any shadow copies in the victim’s computer, making file recovery incredibly difficult. Then it executes its famous red screen: “Oops, your files have been encrypted. If you wanted to decrypt all your files, you need to pay. You only have 3 days to submit your payment. If you don’t pay in 7 days, your files will be lost forever. Send $300 worth of Bitcoin to this address.”
The NHS Crisis: Healthcare Under Siege
The first red screens appeared around 7:44 AM in Southeast Asia. Within an hour, it spread to Latin America, and around 10 AM UTC, it was already causing mayhem in Spain, France, Germany, and the United Kingdom. Train stations, offices, schools—anywhere with computers woke up with WannaCry’s mark.
While the malware was spreading all over Europe, it was severely affecting the UK’s National Health Service. At first, only a couple of hospitals were hit, then dozens, and at some point, one-third of its infrastructure collapsed. Dr. Tony Bleetman, an emergency consultant in London during the attack, witnessed the crisis unfold in real-time.
The medical staff had to adapt to the chaos as quickly as possible. Instead of having a map on the screen of where every patient was, they took an old-fashioned whiteboard and marker pens and drew a plan of the department. Somebody was put in charge of that board to record where all the patients were and where they were moving to. They rapidly moved to paper registration and paper note-keeping for patients.
Surgeries and appointments were postponed. Hundreds of patients were left in limbo, uncertain when or how their procedures would happen. The regionalization of specialist services meant that some patients in smaller hospitals had difficulties getting critical patients to tertiary centers because trauma centers had cancelled everything apart from immediate life-saving surgery.
The Kill Switch: Marcus Hutchins Saves the Day
Among those glued to the nearest radios, TVs, and computers was a UK researcher named Marcus Hutchins. At 2:30 PM, Marcus had just finished lunch and returned home. He had a few days off, so he was taking it easy. But the moment he opened his computer, the scale of the crisis hit him, and he felt he needed to do something.
As Marcus continued to investigate the malware, he quickly noticed something unusual. The worm was trying to connect to a random domain before deploying its payload. When he saw this unregistered domain in the WannaCry code, he thought it was probably a command-and-control server. So he registered it and started looking at what he could do with the control of this domain.
It actually turned out that while they were trying to figure out the purpose of this domain, they had already stopped WannaCry because the domain was a kill switch. With the domain registered, WannaCry couldn’t cause any further damage. It didn’t erase existing infections, but it did stop the malware attack. By 15:03, the destruction was officially over. Marcus had just become a hero in cybersecurity history.
From Crisis to Code: The Day Cybersecurity Changed Forever
When Marcus Hutchins registered that domain, he didn’t just stop a global attack — he redefined what one person with the right skills can do. Cyber defense is no longer optional; it’s the new frontline of global safety. Whether you’re hiring experts or becoming one, this is your call to action.
Explore Cybersecurity Careers →The Investigation: Tracing the Lazarus Group
WannaCry hijacked an estimated 200,000 computers across 150 countries, infecting almost every country worldwide in just 2 hours of being operational. However, the case of WannaCry was far from being solved. The UK police launched an investigation, but the mystery only deepened as new details emerged.
For example, it was revealed that the scheme generated less than $200,000, a small sum for the scale of the attack. Not only did many victims refuse to pay, but the payment mechanism was essentially useless. Unlike better-designed ransomware, WannaCry had no automated system for distributing decryption keys or tracking who had paid and who hadn’t. This led to a darker theory: perhaps WannaCry was not about money.
The kill switch supported this theory. Some researchers believed it was not meant to stop the worm, but to cover the hacker’s footsteps. The kill switch was a way for the worm to understand whether it operated in an organic environment or a sandbox. However, the creators of WannaCry had been sloppy. The domain was not different for each infection—it was static. So when Marcus registered it, the worm believed the entire internet was a sandbox and shut itself off.
The Attribution: North Korea’s Cyber Army
As the investigation progressed, the UK brought the case to America, which uncovered the nastier side of it. At the end of the day, the NSA’s fingerprints were all over the two stolen exploits that made WannaCry work: EternalBlue and DoublePulsar. WannaCry’s power came straight from America’s intelligence.
Working together, British and American investigators discovered who was behind the worm. The FBI analyzed WannaCry’s code and concluded that there were at least two other versions of the malware dating from February and April of 2017. All three versions shared the same code. This was the work of a single group of threat actors.
WannaCry had much in common with other infamous cyberattacks. The malware data chart matched the one used in the Sony and Bangladesh cyberattacks. Also, the development environment was the same: Visual C++. Several IPs and email addresses were reused across WannaCry, Sony, and Bangladesh. All of these attacks had been perpetrated by the same threat actor: Lazarus Group.
The Human Face: Park Jin Hyok
Lazarus Group, also known as Guardians of Peace or Whois Team, is believed to be behind most of North Korea’s cyberattacks. These hackers never act independently—they are North Korea’s war machine. There was one more thing all of these attacks had in common. Tracing them and connecting them allowed the investigators to finally connect the Lazarus Group to a real person.
In the aftermath of the Sony hack and the Bangladesh heist, FBI agents found a shared network of emails that led them to a mysterious user, Kim Hyon Woo. Although this turned out to be a fabricated persona, the alias was actually helpful for the FBI. They connected this alias to Chosun Expo Group, a North Korean front company for state-sponsored hacking.
They came across a Gmail address that had been used in that attack. So they issued a warrant to Google and discovered a CV that had been sent by one of the allegedly North Korean hackers to his new employer in China. It had his photo and his name. His name was Park Jin Hyok. Unlike other nicknames and aliases found during the investigation, he did not have a ghostly presence. His birthday, education, language proficiency, and skills were all in the hands of investigators.
FAQ Section
Q: How many computers were affected by WannaCry?
A: WannaCry hijacked an estimated 200,000 computers across 150 countries in just 2 hours of being operational.
Q: Who was behind the WannaCry attack?
A: The attack was attributed to North Korea’s Lazarus Group, with Park Jin Hyok identified as one of the key operatives.
Q: How was WannaCry stopped?
A: UK researcher Marcus Hutchins discovered and registered a kill switch domain in the malware code, which stopped the spread of the attack.
Q: What role did the NSA play in WannaCry?
A: WannaCry used NSA exploits (EternalBlue and DoublePulsar) that were stolen by the Shadow Brokers and leaked to the public, making the US indirectly responsible for the attack’s success.
The Bottom Line: A Chain of Events That Changed Cybersecurity
WannaCry resulted from a chain of events that fueled a beast. North Korean threat actors could not have completed this beast without the Shadow Brokers leaks, which contained NSA exploits. The attack demonstrated how state-sponsored cyber weapons could be stolen, leaked, and weaponized by adversaries, fundamentally changing the cybersecurity landscape.
Microsoft President Brad Smith acknowledged this in a post after the incident, heavily criticizing the US and its tendency to hoard exploits, comparing the situation to the US military having some of its Tomahawk missiles stolen. This was not taken well in Washington, but the truth remained: WannaCry’s power came straight from America’s intelligence, and the attack could not have succeeded without the NSA’s exploits.
