The most comprehensive open-source reconnaissance of North Korea's public internet infrastructure.
A Hyperion project.
Conducted: 2026-05-02 / 2026-05-03
Target: 175.45.176.0/22 — AS131279 (STAR-KP / Korea Post & Telecom), Pyongyang, DPRK
Total domains documented: ~56
Total files collected: 8,238 across 860 directories
⚠️ This project is ongoing. North Side is not a one-time snapshot — Hyperion will be updating and expanding this database on a rolling basis as new data is collected. Last updated: 2026-05-03.
⚠️ GITHUB VIEWERS The snapshots folder is located at this location https://archive.org/details/north-side-snapshots.tar
Project North Side is a systematic, multi-source reconnaissance of the entire publicly reachable North Korean internet. The DPRK's public-facing internet exists on a single /22 IP block (1,024 addresses) routed through two upstream providers. This project scanned, fingerprinted, enumerated, and archived everything reachable on that block from the open internet.
To the best of our knowledge, this is the most complete correlated record of North Korea's public internet infrastructure that exists — covering DNS, web, mail, network gear, TLS certificates, and full site content.
Data was collected from five independent sources and cross-correlated:
1. nmap port scan
Full /22 sweep across 67 ports including web, mail, DNS, database, admin, and remote access ports.
Command: nmap -T4 --min-rate 5000 -n -Pn -e nordlynx -iL targets.txt
Duration: 42.43 seconds across all 1,024 hosts.
2. httpx enrichment
HTTP/HTTPS probing of all responsive hosts with tech fingerprinting, title extraction, redirect following, and server banner collection.
3. Censys passive data
Cross-referenced against Censys indexed records to surface hosts and services missed by active scanning (DNS servers, mail servers, FTP servers, XAMPP cluster).
4. DNS sweep
114 domains queried against both public DNS resolvers and directly against NK's own nameserver (ns1.kptc.kp at 175.45.176.15). Covered all record types: A, MX, NS, TXT (SPF), SOA. Zone transfer attempted and denied.
5. Full site crawl
Playwright-based crawler with per-page screenshots, full HTML archival, HAR network captures, image downloading with perceptual hashing, and metadata extraction (emails, phones, JSON-LD, OG tags, tech stack). Ran against every identified domain.
| Category | Count | Notes |
|---|---|---|
| IP range | /22 (1,024 addresses) | AS131279, Pyongyang |
| Web servers | 10 identified | Apache dominant |
| DNS servers | 4 real + anomaly | 683 IPs respond on port 53 |
| Mail servers | 4 | All Postfix |
| FTP servers | 2 | Censys only, not scanned |
| Network gear | 1 | Cisco IOS router/switch |
| XAMPP nodes | 3 | Dev stack exposed to internet |
| Domains documented | ~56 | 30 original + ~26 newly discovered |
| Internal-only domains | 7 | Leaked via TLS cert SANs |
Exposed Cisco router — 175.45.177.65 is an internet-facing Cisco IOS device with Telnet (port 23) open to the public internet. SSH is also open. This is live routing infrastructure with no access control visible from outside.
National firewall DNS interception — 683 of 1,024 hosts in the /22 respond on port 53. This is not 683 DNS servers. It is almost certainly a national middlebox intercepting all DNS queries on every IP in the range. A parallel anomaly exists on ports 80, 443, and 8080 where hundreds of IPs accept TCP connections that don't correspond to real web servers.
North Korea's national Certificate Authority — The TLS certificate on 175.45.176.75 (Voice of Korea) was issued by CN=www.dprk.gov.kp / O=dprk, with contact email eitc@star-co.net.kp. This is the first public documentation of NK's internal CA infrastructure. dprk.gov.kp resolves to nothing publicly — it is internal only.
Kwangmyong intranet hostname leak — The same TLS certificate contains krt.kp and tech.krt.kp as Subject Alternative Names. These are hostnames from North Korea's domestic intranet (Kwangmyong) that have leaked into a public-facing certificate. This appears to be the first documented bleed between Kwangmyong and the public internet.
Let's Encrypt certificate on NK infrastructure — 175.45.176.91 (Central Zoo / kza.org.kp) holds a certificate issued by Let's Encrypt in April 2026. It is the only NK host with a certificate from a US-based CA, and the only host running Next.js — anomalous against the rest of the stack.
Xen virtualisation cluster — The TLS certificate at 175.45.176.80 has CN=5-XEN, indicating this is node 5 of a Xen hypervisor cluster. Nodes 1–4 exist somewhere in the range but were not identified.
XAMPP development stack exposed — Three hosts (175.45.176.21, .22, .32) run XAMPP (a development/testing web stack) with multiple unusual ports open including SIP/VoIP (5061), suggesting internal communications infrastructure accidentally exposed to the internet.
Routing split — The /22 is split across two upstream providers. 175.45.176.x and 175.45.177.x route via China Unicom (AS4837). 175.45.178.x and 175.45.179.x route via Russia's TransTelekom (AS20485). Mail infrastructure and portal.net.kp sit exclusively on the Russian-routed subnet.
The single largest server in NK infrastructure. Hosts virtually all government ministries and cultural organisations. Apache 2.4.25 / RedStar OS 4.0.
naenara.com.kp · mfa.gov.kp · moph.gov.kp · tourismdprk.gov.kp · koreanarchitecture.gov.kp · mirae.aca.kp · kza.org.kp · sdprk.org.kp · yongsaeng.org.kp · korean-books.com.kp · korstamp.com.kp · pyongyangtimes.com.kp · minju.rep.kp · youth.rep.kp + www variants
nginx 1.18.0 / Apache 2.4.25. Commercial, educational, and portal domains.
dprkportal.kp · friend.com.kp · knic.com.kp · kftrade.com.kp · kut.edu.kp · koredufund.org.kp · mediaryugyong.com.kp · fia.law.kp · ryongnamsan.edu.kp
kcna.kp → 175.45.176.71 (primary) / 175.45.177.1 (mirror)
vok.rep.kp → 175.45.176.75 (+ mirrors at .73, .83, .85 per TLS SAN)
rodong.rep.kp → 175.45.176.68 (302 redirect, destination unknown)
ma.gov.kp → 175.45.176.76 (Maritime Administration — login page exposed)
lritdc.rcc.net.kp → 175.45.176.72 (Ship tracking — Windows Server / IIS 7.5, only non-Linux host)
| Hostname | IP | Role |
|---|---|---|
| mail.airkoryo.com.kp | 175.45.177.33 | Inbound (Air Koryo, Silibank, futurere) |
| mail.silibank.net.kp | 175.45.177.33 | Inbound (shared) |
| mail.ryongnamsan.edu.kp | 175.45.178.55 | Inbound (university + STAR) |
| smtp.ryongnamsan.edu.kp | 175.45.178.56 | Outbound relay (shared) |
| smtp1.ryongnamsan.edu.kp | 175.45.178.57 | Secondary outbound relay |
| Hostname | IP | Role |
|---|---|---|
| ns1.kptc.kp | 175.45.176.15 | Primary TLD nameserver (.kp) |
| ns2.kptc.kp | 175.45.176.16 | Secondary TLD nameserver |
| ns1.silibank.net.kp | 175.45.176.8 | Primary domain nameserver (all .kp domains) |
| (unnamed) | 175.45.176.9 | Secondary domain nameserver |
SOA serial for kp. is 2013083001 — the public zone has not been updated since August 30, 2013.
| Layer | Technology |
|---|---|
| OS | RedStar OS 4.0 (NK custom Linux, ~2016-era) — dominant |
| Web server | Apache 2.4.25 + PHP 5.6.2 + OpenSSL 1.0.1e — dominant |
| Web outliers | nginx 1.18.0, Microsoft IIS 7.5, Next.js |
| Postfix (all mail servers) | |
| DNS | ISC BIND on RedHat Enterprise Linux |
| Network | Cisco IOS |
| Dev stack | XAMPP (exposed to internet) |
| Virtualisation | Xen hypervisor |
| TLS | Self-signed (most), NK national CA (vok.rep.kp), Let's Encrypt (kza.org.kp) |
The dominant stack is uniformly ~2016-era software. The entire infrastructure appears to have been deployed around the RedStar OS 4.0 release period and not substantially updated since.
The following were identified but not fully captured:
- 8080 hosts — 23 IPs respond on port 8080 with no identified hostname or content
- 302 redirect destinations — Rodong Sinmun (
.176.68) and Air Koryo (.176.69) redirect to unknown destinations - VoK mirror IPs —
.176.73,.176.83,.176.85appear in TLS SAN but were not independently verified - Xen nodes 1–4 — only node 5 confirmed; others exist somewhere in the range
- FTP servers —
.177.41and.177.42identified by Censys but not scanned (port 21 excluded from nmap run) .178.x/.179.xsubnets — Russian-routed subnets have far fewer identified hosts; likely more present- Kwangmyong — the domestic intranet is air-gapped and unreachable from outside by design
North Korea's public internet is intentionally tiny. The country operates a parallel domestic intranet (Kwangmyong) that is air-gapped from the global internet. What is documented here represents the entirety of what the DPRK chooses to expose to the outside world — state media, a handful of government portals, commercial fronts, and the telecom and banking infrastructure that supports them.
The 2016 DNS zone leak (@mandatoryprogrammer) gave researchers the first real map of .kp domains. Project North Side builds on that foundation with active scanning, passive enrichment, and full content archival to produce what is, to our knowledge, the most complete record of this infrastructure to date.
Other notable public research into North Korea's internet infrastructure:
North Korea DNS Leak — mandatoryprogrammer (2016)
A misconfiguration in North Korea's nameserver briefly allowed public zone transfers of the entire .kp TLD, exposing the full list of registered domains. The foundational domain list that most subsequent NK internet research is built on, including North Side.
nknetobserver — nknetobserver (2011–2014)
The original systematic port scanning of the 175.45.176.0/22 range, started the day after Kim Jong Un came to power. Documents the evolution of NK's internet infrastructure over three years including the first sightings of RedStar OS on public-facing servers, an exposed Cisco router, and a MacBook Air on a live NK IP.
Project North Side — Hyperion — 2026