On December 18, 2019, Microsoft announced it had seized control of 50 websites operated by a North Korean hacking group known as Thallium, following a court victory in the United States. The tech giant took down the domains after winning a lawsuit against the cyberattack organization, which used phishing tactics to steal sensitive data from victims primarily in Japan, the United States, and South Korea. The fake websites included addresses like “hotrnall.com,” “office356-us.org,” and “mai1.info,” designed to mimic legitimate services.
Microsoft’s legal action against thallium
Microsoft filed the lawsuit in a U.S. federal court, seeking to dismantle the infrastructure Thallium used to launch its attacks. The court granted Microsoft the authority to take over the domains, effectively cutting off the group’s ability to use them for phishing campaigns. Tom Burt, Microsoft’s corporate vice president of customer security and trust, detailed the operation in a blog post. “The hackers used a phishing strategy where personal information was gathered through social sites and domains,” Burt said. “These details were used to create tricky emails that directed users to fake websites.”
The seizure marks a significant step in Microsoft’s ongoing efforts to combat nation-state cyber threats. Thallium is the fourth such group Microsoft has identified and targeted, following similar actions against hackers from China, Iran, and Russia.
How the phishing scheme worked
Thallium’s attacks relied on a multi-step process. First, the group collected personal information about their targets from social media platforms and other public sources. Then they crafted convincing emails that appeared to come from trusted organizations. These emails contained links to counterfeit websites that looked identical to legitimate login pages for services like Microsoft’s Office 365 or email providers like Hotmail.
Once victims entered their credentials on these fake sites, Thallium captured the information. The group also used deceptive software to negotiate systems and steal highly sensitive data, including emails, contacts, and documents. Microsoft’s investigation found that Thallium’s victims were not random. They included “members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues,” according to Burt’s post.
Targets and geopolitical context
The victims were concentrated in Japan, the United States, and South Korea. Many worked on issues related to North Korean human rights, nuclear nonproliferation, and international peace efforts. By targeting these individuals, Thallium aimed to gather intelligence on activities that the North Korean regime views as threats.
The group’s activities fit a broader pattern of state-sponsored cyber espionage. North Korea has long used hacking to steal money, secrets, and intelligence. The U.S. government has repeatedly condemned these actions. The Trump administration has taken a hard line against such threats. In 2019, the Department of Justice indicted several North Korean hackers for cybercrimes, including the 2014 Sony Pictures attack and the theft of $1.1 billion from the Bangladesh Bank.
Protecting against phishing attacks
Cybersecurity experts say the best defense against phishing is vigilance. Users should always double-check URLs before entering login credentials. A single letter difference, like “mai1.info” instead of “mail.info,” can signal a fake site. Password management is also critical. Using unique, complex passwords for each account reduces the risk if one is compromised. Multi-factor authentication adds another layer of security.
Microsoft has invested heavily in threat detection and response. Its Digital Crimes Unit works with law enforcement and other tech companies to disrupt malicious operations. The takedown of Thallium’s domains is part of a larger strategy to make it harder for state-sponsored hackers to operate.
The seizure of these 50 websites is a clear win for cybersecurity. It disrupts a key tool Thallium used to target individuals working on sensitive issues. But the threat is not gone. North Korea’s hacking capabilities remain sophisticated. The group will likely adapt, finding new domains and methods. Microsoft’s action buys time and sends a message: the U.S. and its allies will fight back. For now, the fake sites are offline, and the hackers have lost a piece of their infrastructure. The work of protecting data and democracy continues.
