Forem: Dennis Kim

Why Does DeepSeek Pursue Alpha in Finance?

Dennis Kim — Sun, 24 May 2026 14:06:07 +0000

A research analyst's perspective on where AI and finance intersect

As of 2026, generative AI is used pervasively in investment research. So in this already-crowded market, why does DeepSeek emphasize financial reasoning, and can that translate into genuine excess returns (alpha)? This piece examines the argument not through benchmarks or marketing, but through the model's design architecture and the background of its parent company.

While running the vibe-investing repository and analyzing market conditions and individual stocks through various LLM prompts, I noticed something interesting: DeepSeek pursues the alpha returns of aggressive investing.

1. The Differentiator — Context, Not Calculation

The real weakness of financial AI is closer to "calculation without context" than to hallucination. Pulling figures like a forward P/E or the VIX can be done with a simple search. What matters is the ability to connect those numbers and convert them into the judgment of "is now the time to buy?"

DeepSeek combines an MoE (Mixture of Experts) architecture with reinforcement-learning-based reasoning (Chain-of-Thought), designed so that a single model handles numerical computation, historical pattern matching, and counter-argumentation within one reasoning chain.

For example, in checking a correction-market buy signal, it moves through these stages: statistical contextualization ("a 36% gain is a hindsight figure; on a year-end buying basis, 19% is correct"), exception handling for historical cases (the failures of 1939, 1966, 1970, and 1974), and causal attribution (are interest rates, oil prices, and tariffs "political noise" or a "structural crisis"?).

In short, it is designed to mimic an analyst's thought process: hypothesis formation → cross-validation of data → attempt at refutation → confidence assignment.

2. The Structural Reason for Its Financial Strength: Parent Company High-Flyer

The core reason DeepSeek started from a different line than general-purpose LLMs lies in its corporate background. This model was not born in an academic lab or a Big Tech research division, but spun out of one of China's largest quantitative hedge funds, Huanfang Quant (幻方量化, High-Flyer Quant).

The nature of the parent company. Founder Liang Wenfeng (梁文锋), after graduating from Zhejiang University, co-founded the quantitative hedge fund High-Flyer in 2015 and introduced AI into its trading strategies. The entity was established in February 2016, and as of December 2025 it managed roughly USD 10 billion in assets. In 2025, High-Flyer managed about RMB 70 billion (roughly USD 10 billion) and posted an average return of 56.6%, ranking second among Chinese quant funds above RMB 10 billion in size. First place went to Lingjun Investment, which recorded 73.5%.

The conversion of compute infrastructure. Liang began buying thousands of NVIDIA GPUs from 2021, before the U.S. export restrictions on AI chips to China. These were initially for algorithmic trading, and later became the foundation for the 2023 launch of DeepSeek. The large-scale compute capacity and data-engineering know-how accumulated in financial operations were carried directly over into AI infrastructure.

The principle of independence. Until April 2026, DeepSeek operated entirely on High-Flyer's capital, without external venture funding, and did not disclose revenue. This approach of focusing on research free from external pressure is interpreted as a deliberate choice to avoid being bound by a short-term commercialization timetable.

The pivot to fundraising (2026). In April 2026, Liang used his own money to increase DeepSeek's registered capital by 50%, from RMB 10 million to RMB 15 million; his personal contribution rose from RMB 100,000 to RMB 5.1 million, raising his effective control to about 84.3%. DeepSeek subsequently pursued its first external funding round of USD 3–4 billion at a valuation of roughly USD 50 billion (around USD 45 billion per some reports), led by China's national semiconductor and AI fund, with Tencent and Hillhouse among those discussing participation. Liang holds about 90% of the company, and the primary reason for accepting outside investment was to offer equity to employees in response to talent poaching by rivals.

3. The Live Test: Alpha Arena Results

In October 2025, in the real-money trading competition Alpha Arena hosted by the financial-AI lab Nof1.ai, six models (Qwen3 Max, DeepSeek Chat V3.1, GPT-5, Gemini 2.5 Pro, Claude Sonnet 4.5, Grok 4) each autonomously traded cryptocurrency perpetual futures on Hyperliquid with USD 10,000.

⚠ Correction of the figures

The winner was Qwen3 Max (about 22.32% return); DeepSeek came second at about 4.89%, while the four U.S. models recorded losses of 30.81% to 62.66%. DeepSeek reached a peak of +125% mid-competition but then gave back a large portion, ending with a single-digit final return. In other words, "an overwhelming first place" is not accurate; "a mid-race peak followed by a sharp pullback to a final second place" is correct. That said, one can observe in this the hedge-fund-like character of parent company High-Flyer, which pursues strong alpha in rising markets.

The outcome — Chinese models, trained on essentially unlimited financial-trading data, on top, and U.S. models broadly in the red — matches the result. The competition revealed that high scores on static academic benchmarks (MMLU, GPQA, etc.) do not guarantee survival and profit in highly uncertain real markets. According to the organizers' commentary, Qwen3 Max and DeepSeek managed leverage and hedging relatively stably, whereas GPT-5, Gemini, and Claude suffered heavy losses from excessive leverage and inadequate risk management.

4. The Evaluation Standard — Falsifiability, Not Accuracy

The quality of financial research is measured by falsifiability rather than accuracy. "The market may go up or down" is 100% correct but has zero information value. Genuine insight comes from concretely specifying "the reasons not to buy right now" and stating the conditions under which that logic would be wrong. DeepSeek's reasoning structure is designed to generate and re-evaluate counter-arguments to its own conclusions, so that alongside a "do not buy" conclusion it must also present a contrary scenario such as "EPS continuing to grow at double digits."

Simplifying the positioning among models: ChatGPT (the GPT family) is strong at explanation drawn from a vast knowledge base; Claude (Anthropic) is strong at advice centered on safety and alignment; Gemini (Google) is strong at information retrieval built on real-time data and ecosystem integration. DeepSeek positions "structured skepticism" as its differentiator.

5. Why Finance? — An Asymmetric Domain

Financial markets are a brutal testbed for AI. A predictive edge of just 51% can be enough to beat the market, yet it is an asymmetric structure in which a single tail risk can wipe out many successes. In this environment, the meaningful goal is not prediction but scenario calibration.

For instance, rather than delivering data showing the equity risk premium (ERP) is at dot-com-bubble levels as a mere warning, it is the ability to simultaneously evaluate "the conditions under which the market could still rise further from that level" and "the triggers that lead to collapse." Room for excess returns opens up when narrative fallacies such as "midterm-election years always rose" can be systematically dismantled.

6. Open Source and Verifiability

Black-box models are hard to use as a basis for asset allocation because their reasoning paths cannot be verified. Even while taking outside funding, DeepSeek maintains its stance of releasing open-source models and prioritizing fundamental research over short-term commercialization. When the thinking process is exposed, users can evaluate the soundness of the argument rather than just the result, which also dovetails with the procedural verification (auditability) demanded in regulated environments. The low inference cost based on MoE is a secondary benefit.

Closing

The advance of market research has come from better questions, not more accurate answers. Insight begins the moment one asks not "should I buy now?" but "is the current decline political noise or structural damage?" The grounds for DeepSeek's advantage in financial reasoning are clear.

They are: parent company High-Flyer's long experience in algorithmic trading, a history of independence that allowed it to focus on research free from outside capital pressure, and verifiability based on open source. That said, as the Alpha Arena results show, the real-world edge is not absolute (a final second place, a mid-race peak followed by a sharp pullback) and hinges on consistency in risk management. I believe this part can be overcome by revising strategy through LLM prompts.

The core lesson the market teaches is not computational speed or data volume, but that the intellectual honesty to refute oneself is what determines long-term survival.

This column is a general analysis based on DeepSeek's design architecture, publicly available information about parent company High-Flyer Quant, and public test results such as Alpha Arena. It does not recommend any specific investment.

Key References

High-Flyer 2025 returns & AUM: SCMP · Bloomberg · Hedgeweek
Liang Wenfeng / High-Flyer founding & GPU acquisition: Fortune · Wikipedia – High-Flyer
Alpha Arena final results (Qwen 1st, DeepSeek 2nd): The China Academy · iWeaver AI · Bitget News
DeepSeek registered-capital increase & external funding: Yicai Global · TechFundingNews · The AI Insider
Open source / AGI stance: TNW · Bloomberg

🔗 Related repository: vibe-investing — an AI-driven investment-research curation combining quant theory, Python backtesting, and Claude prompt templates

What Korea's Foreign Exchange Transactions Act Amendment Means for Offshore Foundations and Exchanges

Dennis Kim — Fri, 22 May 2026 00:16:05 +0000

What Korea's Foreign Exchange Transactions Act Amendment Means for Offshore Foundations and Exchanges

A column by Dennis Kim · May 2026

On May 7, 2026, the plenary session of Korea's National Assembly passed an amendment to the Foreign Exchange Transactions Act, establishing a new registration obligation for the cross-border transfer of virtual assets. A separate category—"digital asset transfer business"—was created, formally designating virtual asset service providers (VASPs) as the accountable parties for cross-border digital asset flows. The debate so far has centered mainly on the registration burden that domestic exchanges and custodians will carry. But the parties this amendment shakes most quietly, and most deeply, lie elsewhere: the offshore foundations and offshore exchanges that look at the Korean market from abroad.

Why Offshore Players Are the Crux

The structural signature of Korea's digital asset market is an asymmetry: domestic liquidity is enormous, yet much of the issuance and infrastructure sits offshore. The foundations that issue tokens are domiciled in Singapore, the Cayman Islands, Zug in Switzerland, or the British Virgin Islands (BVI), while liquidity and settlement infrastructure are held by global exchanges. Korean investors and Korean projects have transacted on top of this offshore structure.

Until now, this flow operated in a "gray zone." Whether an offshore foundation distributed tokens to Korean investors, or a global exchange moved a Korean user's assets across the border, it was unclear whether such activity even fell within the discipline of the foreign exchange order. This amendment resolves that ambiguity. The moment cross-border movement of digital assets enters the foreign exchange monitoring framework, the new test—regardless of whether the party involved is a domestic or foreign entity—becomes whether the activity constitutes a "transfer business between Korea and a foreign country."

Three Questions Offshore Foundations Will Face

First, is token distribution targeting Korea a "transfer business"? The first issue is whether an offshore foundation airdropping tokens to Korean residents, or transferring tokens to a Korean partner as collateral or consideration, falls within the scope of the digital asset transfer business. If subordinate legislation interprets this scope broadly, issuance and distribution activity aimed at the Korean market could itself become subject to registration or reporting. For a foundation, this creates a burden to legally examine, from the token design stage onward, "how does this reach Korean residents?"

Second, Korean partnerships become a channel of regulatory exposure. The typical way an offshore foundation enters the Korean market is through collaboration with domestic builders, marketing partners, and listing advisors. But now, the moment a domestic partner becomes involved in a "cross-border transfer," there is a risk that the partner could be construed as conducting an unregistered transfer business. As a result, the offshore foundation's compliance risk shifts onto the Korean partner—and conversely, Korean partners may engage in adverse selection, avoiding collaboration with offshore foundations because of the regulatory burden. The threshold for entering Korea moves from "technical validation" to "regulatory-fit validation."

Third, there is interpretive risk around circumvention structures. If the legislative intent is to prevent evasion that merely changes form, the key question is how transactions such as cross-chain bridges, token swaps, and overseas wallet integrations—"economically similar to cross-border transfer but technically different in mechanism"—will be treated. That said, based on what has been disclosed so far, it is difficult to conclude whether the statutory text explicitly captures such circumvention transactions. This is a core issue that must be confirmed in the enforcement decree and the Foreign Exchange Transactions Regulations advance-notice draft, and an offshore foundation's Korea strategy can only remain provisional until the contours of that subordinate legislation emerge.

Offshore Exchanges: The Definition of "Doing Business in Korea" Is Rewritten

For offshore exchanges, this amendment is more direct. Korea has already imposed reporting obligations under the Act on Reporting and Use of Specific Financial Transaction Information (the "Specific Financial Information Act") on foreign VASPs serving Korean nationals, and several global exchanges have responded by blocking Korean-language services, restricting Korean IPs, and suspending new sign-ups. This amendment adds a new axis of discipline on top of that: "cross-border transfer of digital assets."

The crux is how the act of a global exchange moving a Korean user's assets between its own platform and external wallets or offshore entities will be assessed from the standpoint of the digital asset transfer business. If an exchange's withdrawals, remittances, and internal transfers are captured as "transfers between Korea and a foreign country," then accepting Korean users could itself trigger a registration obligation. Choosing to register means bearing the same burden as a domestic operator: reporting under the Specific Financial Information Act, network connectivity with data-relay and data-aggregation institutions, securing facilities and specialized personnel, and responding to inspections. Choosing to avoid registration leaves only the path of more aggressively blocking services to Korean users.

Here the market is likely to polarize. A handful of large global exchanges with the capital and compliance capabilities may view Korea as "a market worth registering to enter" and pursue formal entry. By contrast, smaller offshore exchanges and platforms closer to a decentralized structure—if they judge that the regulatory cost of the Korean market exceeds expected returns—will withdraw from Korea or keep their distance. The spectrum of offshore exchanges accessible to Korean investors narrows.

The Light and Shadow of Legitimization

This change should not be viewed only negatively. Parts of the industry read this amendment as a signal of "market legitimization." There has long been room to use digital assets for trade-payment remittance and overseas settlement, but the absence of clear institutional standards made it hard for corporations to actually adopt them. The message that the government has begun to recognize cross-border digital asset movement as a mainstream flow can, for licensed operators, become an opportunity that confers more functions and more roles.

This logic applies to offshore players as well. Once the contours of regulation become clear, predictability actually increases for global exchanges seeking formal entry into the Korean market and for offshore foundations seeking to partner with Korean institutions. Particularly in areas with clear institutional demand—multi-currency stablecoin-based international payment and settlement, and tokenized real-world asset (RWA) transactions—a lawful channel emerges that connects registered domestic infrastructure operators with global issuers and financial institutions. In an institutional market where trust is a precondition for transacting, the very fact of being a "disciplined market" becomes an entry incentive in itself.

The problem is that this opportunity is by no means distributed evenly. The direct beneficiaries of this amendment are large operators that already possess capital and legal/compliance capabilities. The same holds on the offshore side. Global top-tier exchanges and large stablecoin issuers have the resources to adapt to Korea as a disciplined market, but newly launched foundations leading with innovative technology, and technology-neutral infrastructure operators, continue to bear the uncertainty of not even being able to judge whether their service is subject to regulation. Ultimately, the composition of offshore participants in the Korean market will be reshaped through "selective institutional inclusion."

What Korea Must Choose

At this juncture, policymakers must be clear about the following.

Subordinate legislation must not draw the scope of "digital asset transfer business" so broadly that it sucks in all issuance and distribution activity aimed at Korea. If an unclear standard such as "substantially the same effect" is introduced, more granular criteria—by technology type and by service type—must be presented alongside it. For non-custodial services, protocol developers, and DeFi models, what is required is not uniform regulation but a differentiated approach based on controllability and function. Above all, policymakers must make clear that the goal of the institutional design is not mere control, but securing competitiveness in international payment and settlement infrastructure and fostering the industry.

Korea may succeed in "managing" digital asset flows. But whether offshore foundations and global exchanges see Korea as "a market worth entering," or as "a market where costs exceed benefits," depends entirely on the precision of the subordinate legislation. If the regulatory threshold is set too high, the world's innovative liquidity and issuance capacity will route around Korea—and the cost will ultimately be borne by Korean investors and Korean projects.

The question is now clear. Is Korea ready to accept the offshore digital asset ecosystem as a partner for next-generation international payment and settlement infrastructure—or will it treat it merely as an external risk to be surveilled? Within the answer to that question, Korea's place on the global digital asset map will be decided.

※ This column is based on press coverage of the Foreign Exchange Transactions Act amendment passed on May 7, 2026. Certain issues, such as whether circumvention transactions with "substantially the same effect" are captured, require final confirmation in the forthcoming enforcement decree and Foreign Exchange Transactions Regulations advance-notice draft.

Source Github

About the Author — Dennis Kim

Dennis Kim is a quantitative analyst and AI researcher operating at the convergence of artificial intelligence and global financial markets. Since 2017, he has been deeply engaged in the blockchain industry, emerging as a key player connecting Korea and the broader Asian market—bridging ecosystems, capital, and technology across the region.

He served as CEO of Cyworld (Cyworld Z), steering one of Korea's most iconic social platforms, and built his foundation as a hands-on programmer with deep roots in the game security industry. Microsoft recognized his technical leadership with the Azure MVP award for nine consecutive years (2015–2023), and he remains an active cyber threat intelligence and security expert, publishing multilingual threat research read across the industry.

As a columnist, Dennis writes for both technical and general audiences, translating complex macroeconomic narratives and AI-driven signals into clear, actionable insight. Today, much of that work lives in his Vibe Investing repository, where he publishes deep-dive investment columns and develops AI-driven trading systems—turning the noise of markets and machine learning into a coherent investment edge.

His current focus sits squarely on the future he's spent his career preparing for: the fusion of AI and financial markets, where engineering rigor, security discipline, and market intuition meet.

Samsung and SK Hynix: The Unavoidable Gatekeepers of the AI Revolution

Dennis Kim — Thu, 21 May 2026 15:42:46 +0000

Samsung and SK Hynix: The Unavoidable Gatekeepers of the AI Revolution

Introduction

As the artificial intelligence revolution accelerates, the bottleneck in the global technology supply chain has shifted dramatically. Where once advanced logic chips were the scarcest resource, today the world faces a structural shortage of the memory semiconductors that store, shuttle, and serve the data powering every AI model. At the center of this new scarcity stand two Korean companies—Samsung Electronics and SK Hynix—whose combined dominance over the global DRAM and NAND flash markets has transformed them from commodity suppliers into strategic gatekeepers of the AI era.

This column examines three converging forces that explain why these two companies merit careful attention from investors: a structural memory shortage that has reversed traditional buyer-supplier dynamics, the advent of agentic AI architectures that dramatically amplify memory intensity, and a geopolitical landscape that increasingly favors Korea over its chief rival, Taiwan.

I. The AI Memory Supercycle: When Buyers Fly to Suppliers

The most visible sign of the transformation in the memory market is the reversal of traditional procurement dynamics. In a normal cycle, memory buyers hold the upper hand, negotiating prices downward as suppliers compete for volume. Today, the opposite is true.

Big Tech procurement executives from Apple, Microsoft, Google, and Amazon are making extended business trips to Korea—not for routine supplier meetings, but to personally negotiate for scarce memory allocations. The industry has not witnessed this kind of supplier-dominant dynamic since the early 1990s.

The numbers tell the story. According to TrendForce, DRAM contract prices surged 93% to 98% quarter-over-quarter in Q1 2026 alone, with Q2 projected to see an additional 58% to 63% increase. NAND Flash prices are following a similar trajectory, with Q2 increases forecast at 70% to 75%. Goldman Sachs has revised its full-year 2026 forecast upward: DRAM prices are now expected to rise 250% to 280% for the year, and NAND prices 200% to 250%, with the bank explicitly stating that "the memory shortage could extend into 2027."

The supply-side constraint is structural, not cyclical. HBM (High Bandwidth Memory)—the specialized DRAM that sits alongside AI accelerators—consumes roughly three times the wafer area of conventional DRAM per gigabyte produced. As manufacturers allocate ever more capacity to HBM, the supply of conventional DRAM and NAND tightens proportionally. SK Group Chairman Chey Tae-won, speaking at Nvidia GTC 2026, warned that wafer supply remains more than 20% below demand and could take four to five years to catch up, with the shortage potentially persisting until 2030. J.P. Morgan similarly expects structural shortages to extend through at least 2027, and possibly into 2028, as demand growth continues to outstrip supply additions.

Inventory levels paint an equally stark picture. The three major manufacturers—Samsung, SK Hynix, and Micron—have seen their inventories drop to just three to five weeks of supply, with SK Hynix reportedly down to only two weeks. Industry analysts note that the three companies' entire 2026 production output has effectively already been sold.

The result is that Big Tech customers are now locking in multi-year supply agreements. Some hyperscale buyers began placing two-year advance orders as early as late 2025, with long-term supply planning for 2027 expected to be finalized by Q1 2026. Up to 40% of some suppliers' output is reportedly locked into giant deals such as SK Hynix's "Project Stargate" partnership with OpenAI.

II. Agentic AI: Why Memory Becomes Even More Strategic

If the current memory shortage reflects the demands of today's AI workloads, the next wave—agentic AI—promises to amplify those demands by an order of magnitude.

Agentic AI refers to systems that do not merely respond to prompts but autonomously plan, reason, and execute multi-step tasks. This paradigm shift imposes fundamentally new requirements on memory subsystems. Traditional AI inference requires holding model weights and key-value (KV) caches in memory. Agentic AI adds two additional memory layers: semantic memory (external knowledge bases and vector databases) and episodic or procedural memory (retaining context across extended interactions).

The quantitative implications are substantial. Micron Technology has noted that agentic AI workloads are pushing CPU memory support specifications toward 400 GB per chip—roughly four times the current typical configuration of 96 to 256 GB. A single inference sequence on a 70-billion-parameter model with a 128K context window can require approximately 167 GB of KV cache alone.

Moreover, AI server memory configurations dwarf those of conventional servers. A general-purpose server typically carries 512 GB to 1 TB of DDR5 and about 4 TB of SSD storage. An AI server, by contrast, requires 1.5 TB to 4 TB of DDR5, 8 TB to 16 TB of enterprise SSD, plus additional HBM3E or HBM4 stacks. The gap is widening: in 2026, server DRAM demand is projected to grow more than 40%, server NAND demand 63%, HBM demand 35%, and a new form factor called SOCAMM is expected to surge 150%.

Micron CEO Sanjay Mehrotra has characterized memory as having become a "strategic asset," predicting that AI-related demand for DRAM and NAND will surpass 50% of the total industry market in 2026. This marks a fundamental shift from memory's historical status as a commoditized input.

Critically, Samsung Electronics brings a capability that its memory-focused peers cannot match: the ability to manufacture custom logic chips, including AI accelerators, through its foundry business. Samsung Foundry is reportedly in advanced discussions with Google to manufacture the next generation of the search giant's Tensor Processing Units (TPUs)—the custom AI accelerators that compete with Nvidia's GPUs in data center inference. Google TPU executives have visited Samsung's Taylor, Texas facility to assess production capacity.

This means Samsung can offer hyperscale customers an integrated proposition: HBM memory plus custom logic silicon manufactured under one roof. For Big Tech firms seeking to reduce their dependence on TSMC's Taiwan-based manufacturing monopoly, Samsung's combined memory-plus-logic capability represents a strategically valuable alternative. If TPU volumes ramp—and industry expectations suggest TPU pricing could double in 2026—Samsung stands to capture value across both the memory and logic portions of the AI infrastructure stack.

III. Geopolitics: Korea's Structural Advantage Over Taiwan

The third pillar of the investment case for Korean memory manufacturers is geopolitical. Taiwan, home to TSMC and the world's most advanced semiconductor manufacturing cluster, sits under an increasingly explicit security threat from China. The risk of disruption—whether from military action, blockade, or coercive economic measures—has prompted a global rethink of semiconductor supply chain concentration.

Korea, by contrast, offers a meaningfully different risk profile. While the Korean Peninsula carries its own geopolitical tensions, the nature of the threat differs substantially from the cross-strait dynamic: it is a frozen conflict with well-established deterrence mechanisms rather than an actively escalating territorial dispute. Moody's Analytics has noted that Korea's more diversified industrial base may provide a structural edge over Taiwan in the semiconductor sector.

But the more immediate advantage is Korea's onshoring strategy. Samsung Electronics is completing a $40 billion semiconductor complex in Taylor, Texas, with production expected to commence in 2026. The facility will manufacture advanced 4-nanometer and 2-nanometer logic chips and includes dedicated research and development and advanced packaging facilities. Samsung is receiving up to $6.4 billion in CHIPS Act funding to support the project. While the Taylor fab's timeline was delayed from its original 2024 target to 2026—owing partly to the need to secure anchor customers—the facility positions Samsung as the only company capable of producing both advanced memory and advanced logic on U.S. soil in the near term.

SK Hynix, while primarily a memory pure-play, is also building a U.S. advanced packaging facility with a 2028 production target. Combined, these investments give Korea a physical manufacturing presence inside the United States that no other semiconductor-producing nation—including Taiwan—can currently match for memory.

For AI infrastructure buyers, the calculus is straightforward: Korea can deliver AI infrastructure on time, from facilities located in geopolitically secure jurisdictions. As one industry observer noted, the combination of Korean memory dominance, American logic chip leadership, and U.S.-based end-application giants creates a powerful trilateral axis that Taiwan's pure-foundry model cannot easily replicate.

IV. The Financial Picture: Orders, Revenue, and What Comes Next

The strategic dynamics described above are already flowing through to financial results.

Samsung Electronics reported consolidated revenue of KRW 133.9 trillion in Q1 2026, with its memory business reaching all-time revenue highs. Operating profit surged 756% year-over-year to KRW 57.2 trillion. KB Securities projects that Samsung's DRAM and NAND average selling prices will rise 297% and 256% respectively in 2026 compared to the prior year.

SK Hynix reported Q1 2026 revenue of KRW 52.5 trillion to KRW 52.6 trillion, representing 198% year-over-year growth. Operating profit reached KRW 37.6 trillion, yielding an operating margin of approximately 72%. Net profit came in at KRW 40.3 trillion—all three metrics representing company records.

Looking forward, the analyst consensus points to sustained momentum. HSBC recently raised its SK Hynix target price to KRW 2.9 million, forecasting 2026 operating profit of KRW 265 trillion (up 460% year-over-year) on revenue of KRW 329 trillion. Mirae Asset Securities projects SK Hynix's HBM revenue alone will reach KRW 54 trillion in 2026 and KRW 75 trillion in 2027. S&P forecasts SK Hynix's total revenue at KRW 162 trillion in 2026 and KRW 179 trillion in 2027.

The bull case rests on a straightforward premise: supply will remain structurally constrained through at least 2027-2028, while AI-driven demand—particularly from the agentic AI transition—continues to accelerate. Memory manufacturers have little incentive to aggressively expand conventional capacity when HBM commands dramatically higher margins and is sold out years in advance. Gross margins for Samsung and SK Hynix's memory divisions reportedly exceeded even TSMC's in Q4 2025—a remarkable reversal for an industry historically characterized by boom-bust cycles.

Risks, of course, exist. A slowdown in AI infrastructure spending, a breakthrough in memory compression technologies, or an unexpected resolution of supply constraints could deflate the current pricing environment. The memory industry's history of cyclicality should give any investor pause. But the structural nature of the current shortage—driven by the physics of HBM wafer consumption and the multi-year lead times for new cleanroom capacity—suggests that this cycle is genuinely different from its predecessors. As one analysis put it, the traditional "two-year cycle" pattern has been broken, with memory industry revenue in 2026 expected to reach more than twice that of the wafer foundry sector.

Conclusion

The investment case for Samsung Electronics and SK Hynix in 2026 rests on more than a favorable pricing cycle. It reflects a structural realignment of the global technology supply chain in which memory has moved from the periphery to the center of AI infrastructure. The three forces identified here—supply scarcity that has inverted buyer-seller relationships, the memory-intensity escalation driven by agentic AI architectures, and Korea's geopolitical and manufacturing advantages—are mutually reinforcing and unlikely to dissipate quickly.

For investors, the question is not whether memory is important to AI—that is now beyond dispute. The question is whether the market has fully priced in how long this importance will persist, and how deeply it will reshape the financial profiles of the two Korean companies that sit at the nexus of the AI memory bottleneck.

This column is part of the Vibe Investing repository.

Vibe Investing is a curated space dedicated to the intersection of artificial intelligence and investment. It houses AI-powered market analysis columns and trading tools—including Harness Quant v2 and the Earnings Momentum Agent—covering global markets such as the NASDAQ, S&P 500, and cryptocurrencies. The repository explores how AI transforms the way we understand, predict, and act on financial markets.

About the Author

Dennis Kim

Dennis Kim is a quantitative analyst and AI researcher operating at the convergence of artificial intelligence and global financial markets. Over a two-decade career, he has moved fluidly between roles few people combine in one résumé: software engineer, security expert, technology executive, and published columnist.

He served as CEO of Cyworld (CyworldZ), steering one of Korea's most iconic social platforms, and built his foundation as a hands-on programmer with deep roots in the game security industry. Microsoft recognized his technical leadership with the Azure MVP award for nine consecutive years (2015–2023), and he remains an active cyber threat intelligence and security expert, publishing multilingual threat research read across the industry.

As a columnist, Dennis writes for both technical and general audiences, translating complex macroeconomic narratives and AI-driven signals into clear, actionable insight. Today, much of that work lives in his Vibe Investing repository, where he publishes deep-dive investment columns and develops AI-driven trading systems—turning the noise of markets and machine learning into a coherent investment edge.

His current focus sits squarely on the future he's spent his career preparing for: the fusion of AI and financial markets, where engineering rigor, security discipline, and market intuition meet.

Connect on LinkedIn: testcode
GitHub

DPRK Hacking Trends 2026: AI‑Powered Supply Chain and Developer Environment Attacks

Dennis Kim — Thu, 21 May 2026 14:07:29 +0000

DPRK Hacking Trends 2026: AI‑Powered Supply Chain and Developer Environment Attacks

Date: 2026-05-21 | TLP:CLEAR | Report ID: CTI-2026-0521-DPRK-TRENDS

North Korean state‑sponsored hacking groups (Lazarus, Famous Chollima, Kimsuky and their sub‑groups) have entered a new phase of operation in 2026. Three distinct but interconnected trends define their current playbook: industrialised supply chain attacks, AI‑enabled intrusion campaigns, and direct targeting of the developer environment (npm, VS Code, IDEs). Together, these axes form a single, converged workflow that begins with fake job interviews and ends with the theft of cryptocurrency, code‑signing certificates, and credentials from downstream customers.

1. Supply Chain Attacks – Reaching the Unreachable

In March 2026, the Lazarus Group (BlueNoroff) socially engineered the lead maintainer of axios – a JavaScript HTTP client with ~70 million weekly downloads – and published two malicious versions (v1.14.1 and v0.30.4). The blast radius was extraordinary: OpenAI’s macOS app‑signing GitHub Actions workflow pulled the infected version, giving the attackers access to the code‑signing certificates for ChatGPT Desktop and Codex without ever touching OpenAI’s own systems. The malicious packages were removed within hours, but axios resides in approximately 80% of cloud and code environments and is downloaded about 100 million times per week, enabling rapid exposure in about 3% of affected environments.

Only weeks later, on April 30, 2026, PyTorch Lightning – one of the world’s most widely used AI/ML frameworks – was found compromised in a supply chain attack designed to steal credentials. Security experts now characterise these incidents not as one‑off backdoors but as industrialised supply chain campaigns, urging defenders to treat supply chain security as seriously as application security.

2. AI‑Enabled Attacks – Collapsing the Barrier to Entry

The most notable AI‑driven case is HexagonalRodent (Expel‑TA‑0001), a subgroup within the Famous Chollima / Lazarus ecosystem. Over three months, the group targeted more than 2,000 developers working on cryptocurrency, NFT, and Web3 projects and is estimated to have stolen roughly $12 million using AI‑generated malware and phishing infrastructure.

Marcus Hutchins, the researcher who discovered the group, noted that the most striking thing about the campaign was not its sophistication but how AI tools let an apparently unsophisticated group carry out a profitable operation. They “vibe coded” nearly every part of their intrusion campaign – from writing malware to building fake company websites – using OpenAI, Cursor, and Anima. AI lowered the barrier to entry so dramatically that tasks once requiring fluent language skills, sophisticated code modification, and careful persona management have now been partially “outsourced” to commercial AI tools.

AI is also used at the intrusion stage: Famous Chollima employs AI deepfakes and stolen identities in fake job interviews to infiltrate crypto and Web3 companies. Kimsuky used ChatGPT to generate a fake South Korean military ID (bypassing platform restrictions) and ran a phishing campaign targeting journalists, researchers, and human rights workers.

3. Attacks on the Developer Environment – The New Perimeter

The Contagious Interview campaign, ongoing since November 2023, is the representative case. DPRK‑linked actors uploaded 197 new malicious npm packages distributing an updated OtterCookie variant, accumulating over 31,000 downloads. The campaign targets developers on Windows, Linux, and macOS – especially those in crypto and Web3. The attack structure is a compartmentalised “factory”: GitHub for source control, Vercel for payload staging, npm for distribution, and a separate C2 tier.

Installing the malicious packages prompts a connection to a hardcoded Vercel URL and retrieval of OtterCookie, which bypasses VMs and sandboxes before providing a remote shell and enabling clipboard theft, keystroke logging, and theft of browser credentials and crypto wallet data. The latest variant (tracked since October 2025) introduces much heavier obfuscation – hiding strings, URLs, and logic through encoded index lookups and shuffled arrays – making static and signature‑based detection substantially harder.

The evolution of using the IDE itself as the execution trigger is seen in the HexagonalRodent case. Attackers post high‑paying roles on LinkedIn and Web3 recruitment platforms, luring job seekers into malware‑laced “skills tests” that abuse VS Code’s tasks.json feature – malicious code auto‑executes the moment the victim opens the project folder. In early 2026, HexagonalRodent also compromised the popular VS Code extension “fast‑draft” to distribute OtterCookie, the first confirmed instance of this subgroup conducting a supply chain attack – suggesting it is expanding its methods and growing in technical confidence.

4. Synthesis – The Converged Workflow

Stage	Tactic	Representative Tools / Cases
Access	Fake recruitment/interviews, deepfake identity	Famous Chollima, fake Lever job portal
Weaponisation	Mass‑produce malware/phishing infrastructure with AI	ChatGPT, Cursor, Anima
Execution	Trigger via dev environment (npm / VS Code)	OtterCookie, BeaverTail, `tasks.json`
Propagation	Penetrate trusted packages → downstream	`axios`, `fast-draft`, PyTorch Lightning
Monetisation	Credential/wallet theft	$12M (HexagonalRodent), Bitrefill, etc.

The most important insight is not the “AI‑built super hacker” narrative. The most credible part of the story is that DPRK‑linked operators are using AI as a force multiplier within already‑proven social‑engineering and developer‑compromise workflows. AI did not invent new attacks; it acts as an amplifier that explosively scales the volume, speed, and accessibility of existing attacks.

5. Key Recommendations for Defenders

Area	Recommendation
Developer Protection	Make recruitment/coding‑test‑disguised approaches a core security‑training scenario. Mandate isolated environments (VM/container) before running “take‑home assignments”.
Dev Environment	Review VS Code `tasks.json` auto‑execution, verify IDE extension provenance, enforce trusted‑workspace policies.
Supply Chain	Use lockfile/hash verification for npm/PyPI dependencies, minimise secret access in build/signing pipelines (GitHub Actions), adopt SBOM.
Detection Signals	Monitor unexpected clipboard access, keylogging, screenshot capture, system profiling, anomalous User‑Agents.
Credentials	Treat developer workstation compromise as a potential funds‑loss event; on compromise, immediately revoke code‑signing certs and wallet keys.
AI Abuse	Log internal AI tool usage; when adversarial AI abuse is identified, use vendor reporting channels (OpenAI, Cursor, etc.).

Full Report

For the complete Cyber Threat Intelligence (CTI) report – including detailed technical indicators, subgroup mapping, and all source references – please see the original analysis:

🔗 DPRK‑Linked Cyber Threat Trends H1 2026 – Full CTI Report (GitHub)

This post is based on open‑source intelligence (OSINT) and research from Expel, Microsoft, Mandiant, Socket, and other public sources. It is intended for defensive, educational, and policy purposes only.

YellowKey: How One Anonymous Researcher Broke Enterprise BitLocker

Dennis Kim — Thu, 21 May 2026 09:54:47 +0000

full report

TL;DR — On May 20, 2026, Microsoft shipped interim mitigations — not a patch — for YellowKey (CVE-2026-45585), a zero-day that bypasses BitLocker full-disk encryption. The flaw is real and confirmed. But the part that should keep security teams up at night isn't the bug. It's how the world learned about it: an anonymous researcher published a working PoC on GitHub before any fix existed, leaving every affected enterprise exposed with nothing but manual workarounds.

📄 Full technical report (EN): CTI-2026-0521-YELLOWKEY_EN.md →

The headline everyone read — and the one they should have

The technical headline is easy: BitLocker bypassed, CVSS 6.8, physical access required. For a lot of people that reads as "medium severity, niche attack, move on."

That framing misses the actual event. The damaging thing here wasn't a clever flaw in disk encryption. It was a deliberate decision by one anonymous person to detonate it in public — no coordinated disclosure, no patch window, no warning to defenders. Microsoft said so directly in its advisory: the PoC release violated responsible-disclosure best practice.

So let's talk about that, because it's the part of this story that scales beyond one CVE.

What YellowKey actually does (briefly)

The full chain is in the technical report, but the short version:

It doesn't break BitLocker's crypto. It abuses the trust assumptions of the Windows Recovery Environment (WinRE).
An attacker drops a crafted FsTx file on a USB drive or EFI partition, boots the target into WinRE, and holds Ctrl.
A Transactional NTFS replay lets one volume's \System Volume Information\FsTx directory modify another volume — deleting winpeshl.ini and spawning an unrestricted shell over the encrypted disk.

No malware install. No stolen credentials. No network. Just physical access to the device — exactly the scenario BitLocker exists to protect against.

As researcher Will Dormann noted after confirming the PoC works, the deeper problem isn't even the TPM-only bypass — it's that one volume's recovery directory can reach across and modify another. That's a structural trust failure, not a configuration mistake.

Why "physical access required" is not the comfort blanket it sounds like

Defenders love to downgrade physical-access bugs. "Attacker needs the laptop in hand — low risk."

Tell that to:

The exec whose laptop is stolen from a hotel room.
The field engineer who leaves a device in a rental car.
The fleet of unattended kiosks, lab machines, and conference-room PCs.
Every "we wiped it remotely, we're fine" assumption that BitLocker was supposed to make true.

BitLocker's entire job is to make a lost or stolen device a non-event. YellowKey turns that guarantee back into a question mark — and it hits hardest on TPM-only configurations, which most enterprises run by default because nobody wants to type a PIN at every boot.

That's not a niche edge case. That's the default config of a huge slice of corporate Windows fleets.

The real damage: disclosure without a patch

Here's the chain of consequences the anonymous researcher actually set in motion:

1. Zero patch, all liability.
Microsoft's response was mitigations, not a fix. Affected orgs got two options: surgically edit WinRE images across their entire fleet, or migrate TPM-only devices to TPM+PIN. Both are operational projects, not a Patch Tuesday checkbox.

2. The clock started for the attacker, not the defender.
With a working PoC on GitHub, the knowledge is now symmetric. Every opportunistic thief, insider, and red-team-gone-rogue has the recipe — before most enterprises have finished inventorying which machines are even vulnerable.

3. The recommended fix may not even hold.
The same actor has claimed to hold a separate PoC that bypasses TPM+PIN. So the "recommended" mitigation is, by the researcher's own framing, possibly a speed bump. Defenders are being asked to do expensive fleet-wide work against a moving target.

4. It normalizes protest-disclosure.
This wasn't a one-off. The actor — "Chaotic Eclipse" / Nightmare-Eclipse — has a track record (BlueHammer, RedSun) of dropping zero-days as a protest against how Microsoft's MSRC handles reports. That's a campaign, not an accident. And it tells every other frustrated researcher that unilateral disclosure is a viable way to be heard.

The uncomfortable both-sides of it

I want to be fair here, because this isn't purely a villain story.

Researchers go full-disclosure for reasons that aren't always petty: slow vendor triage, lowballed severity ratings, bugs sitting unpatched for months while the vendor sits on them. The disclosure debate has been running since the 1990s precisely because vendors have, repeatedly, earned researchers' distrust. Coordinated disclosure only works when both sides hold up their end.

But "the vendor is sometimes bad at this" doesn't make "publish a weaponized PoC for an unpatched encryption bypass" a defensible move. The cost of that decision didn't land on Microsoft. It landed on every IT and security team that now has to scramble — and on every user whose stolen laptop is now genuinely readable.

The asymmetry is the whole point: one person's protest, distributed across thousands of organizations' incident response budgets.

What to actually do this week

If you run Windows 11 (24H2 / 25H2 / 26H1) or Server 2025, the full report has the detailed steps, but the priority order:

Inventory. Find every affected build, flag every TPM-only BitLocker device first.
Triage by physical risk. Execs, travelers, field staff, anything that leaves the building — those go first.
Move to TPM+PIN via Intune/GPO. Treat it as the front-line blocker, not the final answer.
Test WinRE image edits before deploying. This is a recovery-image change, not a normal patch — it can brick recovery if you rush it.
Re-check physical security and lost/stolen device procedures. YellowKey is a reminder that "encrypted == safe" was always conditional.
Watch for the official patch and for the same actor's next drop.

The takeaway

YellowKey is a medium-CVSS bug with an outsized blast radius — and the blast radius is almost entirely a function of how it was disclosed, not how severe the flaw is on paper.

The technical lesson is "audit your recovery environment's trust assumptions." The bigger lesson is that the disclosure model is a security control too — and when one anonymous actor decides to opt out of it, the cost is socialized across everyone running the affected software.

Defenders don't get to choose the disclosure model. We just get the bill.

📄 Full technical CTI report (English):
👉 CTI-2026-0521-YELLOWKEY_EN.md

🇰🇷 Korean version:
👉 CTI-2026-0521-YELLOWKEY_KR.md

This post is based on an independent, OSINT-based CTI report. It is intended solely for educational, defensive, and research purposes. It does not represent the official position of any referenced organization, and the author assumes no liability for direct or indirect use of this material.

I rebuilt 18 billion photos. Now I hunt threats.

Dennis Kim — Wed, 20 May 2026 13:13:04 +0000

Hi DEV community 👋

I'm Dennis Kim (Kim HoKwang). I've been building things on the internet for a long time, and I just realized most of that work has never had an English-language home. So here it is — a quick hello and what I plan to write about.

The short version of my path
I helped run one of the world's first social networks. Long before Facebook, there was Cyworld — a Korean SNS that defined an entire generation's online life. I served as its CTO-side lead during a critical chapter, and one project still stands out as the hardest engineering problem I've owned:

Restoring 18 billion photos and 8 million videos from Cyworld's archives.

If you've ever migrated a database and felt the pressure of "don't lose a single row," multiply that by people's actual memories — first days of school, weddings, kids growing up. That job rewired how I think about data integrity, storage at scale, and the human weight behind the bytes.

Where I've spent my time since

Microsoft Azure MVP (2015–2023). Eight years in the MVP program, mostly around cloud architecture and helping developers ship on Azure.

Blockchain & Web3 since 2019. I build infrastructure and tooling in the Web3 space — the engineering is messy, fast-moving, and exactly the kind of problem I enjoy.

Independent cyber threat intelligence. This is where most of my writing energy goes now. I publish OSINT-based CTI reports on supply chain attacks, zero-days, AI/LLM security, and state-backed threat actors.

What I'll write about here
I want DEV to be the place where I share the practical, developer-facing side of security:

Breakdowns of fresh vulnerabilities — what the attack chain actually is, and what you do Monday morning (patch, mitigate, hunt).
Notes from the AI/LLM security frontier, including how attackers are starting to use LLMs and "vibe coding" to build tooling at alarming speed.
The occasional war story from scaling systems and restoring data that people genuinely cared about.

No fear-mongering, no hype. Defense over noise.

Let's connect
I keep an open, OSINT-based threat intelligence archive on GitHub — multilingual reports, free to read and reference:

gameworkerkim / CYBER-THREAT-INTELLIGENCE-REPORT

This report analyzes the collapse of the cyber weapons supply chain and its impact on national security through the case of the Coruna iOS Exploit Kit. Cyber warfare has evolved into a decentralized and commercialized threat ecosystem

Cyber Threat Intelligence Report

독립 사이버 위협 인텔리전스 리포트 아카이브 Independent Cyber Threat Intelligence Archive · OSINT-based Defensive Research

언어 (Language): 한국어 · English · 日本語 · 中文

본 저장소는 방어·연구·정책 수립 목적의 공개 사이버 위협 인텔리전스(Open CTI) 리포트를 수집·발행하는 독립 아카이브입니다. 모든 리포트는 OSINT 기반으로 작성되며, 특정 조직·기관·국가의 공식 입장을 대변하지 않습니다.

This repository is an independent archive of open-source cyber threat intelligence (CTI) reports, intended for defensive, research, and policy purposes. All reports are OSINT-based and do not represent the official position of any organization.

About the Analyst

이름 (Name)	Dennis Kim (김호광 / HoKwang Kim)
역할 (Role)	CEO, Betalabs Inc. · 前 Cyworld Z CEO · Independent Threat Intelligence Analyst · Microsoft Azure MVP
전문 분야	Web3·블록체인 보안, 공급망 공격, 제로데이 생태계, 북한·국가배후 위협, AI/LLM 보안, MCP 보안
Email	gameworker@gmail.com
GitHub	@gameworkerkim

Latest Reports — Featured

2026-05-20 발행 — 단일 주간 4건 동시 경보

5월 셋째…

View on GitHub

GitHub: github.com/gameworkerkim
LinkedIn: testcode

If you work in security, cloud, or Web3 — or you just like a good data-recovery story — say hi in the comments. I'd love to know what you're building.
Thanks for reading, and glad to be here. 🙏