South Korea’s Cyber Investigation Unit of the Seoul Metropolitan Police Agency announced Thursday it would refer to prosecutors a Chinese national facing 18 charges, including violations of the Act on the Aggravated Punishment of Specific Economic Crimes, for leading a hacking syndicate that stole 48.4 billion won (approximately $31.9 million) from victims across Korea over three years. Among those targeted was Jungkook, vocalist for K-pop group BTS, whose securities account was breached in January 2024 while he was completing mandatory military service; the group attempted to transfer 33,500 HYBE shares worth approximately 8.4 billion won before Big Hit Music, his management company, and financial institutions detected the unauthorized activity and froze the account.
Two ringleaders, both Chinese nationals who knew each other from school, commanded more than 30 members operating across China and Thailand. Their lasting legacy is what their operation revealed about Korea’s mobile infrastructure: the syndicate’s second phase bypassed hardened carrier defenses by exploiting the non-face-to-face activation portals of budget mobile carriers, opening 122 fraudulent SIM cards under stolen identities and draining 39.5 billion won before investigators closed in. Korea’s regulatory fix for that specific vulnerability is still in an extended trial period as prosecutors receive the case this week.
Inside a 48 Billion Won Operation
The agency committed 55 investigators to the case across just under four years. The syndicate targeted 271 people and successfully defrauded 28 of them. The ringleader identified only as A, a 40-year-old Chinese national, was extradited from Bangkok to Incheon International Airport on May 13 after Thai courts approved an extradition request filed by Korea’s Ministry of Justice in August 2025, following an emergency provisional detention Thailand executed on Korea’s behalf the previous May.
His co-leader, identified as B, a 36-year-old Chinese national, was extradited and taken into custody in August 2025, indicted in September, and is currently standing trial. Both ringleaders will be referred to prosecutors Friday alongside the 30 other organization members already processed in earlier investigation phases. Ringleader A faces 18 charges; B gains an additional SIM cloning count with this referral. Police classified the case as “a new type of crime that is difficult to find precedents globally.”
Investigators described the organization as deliberately tiered: two leaders supervising managers, operatives, and money-laundering specialists across a workforce of roughly 32 people drawn from varied backgrounds, including university students, self-employed workers, and unemployed individuals. Operations ran across two countries, coordinating out of China with on-the-ground execution in Thailand. The two leaders reportedly knew each other from their school days, a personal bond that police said helped sustain the group’s cohesion over nearly four years.
In total, the syndicate targeted assets worth 73.4 billion won. Of that sum, 48.4 billion won was stolen and 25 billion won in attempted thefts was blocked through suspicious-transaction detection at financial institutions and coordinated account freezes. One victim in Phase 2 absorbed by far the single largest individual loss in the case, a figure police noted happened to equal the total sum eventually recovered and returned across all victims combined.
SIM Cloning to Ghost SIMs: A Two-Phase Attack
The syndicate’s approach changed when Korea’s major telecommunications providers tightened their network-level controls. Rather than disbanding, the group pivoted from one attack method to another, treating the mobile authentication layer as an engineering challenge with multiple solutions. What emerged was a two-stage campaign spanning three years, with the second phase proving four times more destructive than the first in monetary terms.
| Phase 1: SIM Cloning | Phase 2: Ghost SIM Activations | |
|---|---|---|
| Period | May 2022 to June 2024 | July 2023 to April 2025 |
| Method | Copied SIM authentication data onto blank cards (twin SIMs) | Hacked MVNO activation portals; opened new SIMs under stolen identities |
| Identities compromised | 13 SIM credentials cloned | 92 people; 122 SIM cards opened |
| Victims defrauded | 4 | 24 |
| Amount stolen | 8.9 billion won (cryptocurrency) | 39.5 billion won |
SIM cloning worked by exploiting SMS-based two-factor authentication (2FA, a security step that routes one-time verification codes to the user’s registered phone number). Once the group had a cloned card carrying a victim’s unique credentials, that 2FA barrier vanished. Four victims lost 8.9 billion won in cryptocurrency drained before exchanges and platforms flagged the activity.
Phase 2 was structurally different. Instead of copying existing SIM credentials, the group registered entirely new SIM cards under stolen names by hacking non-face-to-face activation portals at budget carriers. Running parallel to those registrations, the syndicate also breached more than 10 public and private platforms to harvest financial credentials from 195 individuals, a data acquisition campaign that supplied both the authentication tokens and the account targets it needed to execute theft at far greater scale. Twenty-four victims were defrauded; one alone absorbed losses that eclipsed the entire Phase 1 total.
Budget Carriers, Big Holes
MVNOs (mobile virtual network operators, budget carriers that lease spectrum from Korea’s three major telcos) compete on price and convenience. Their non-face-to-face activation portals let customers sign up, scan an ID online, and activate a SIM without visiting a store. Korea’s National Police Agency reported that MVNOs accounted for 89,927 of the 97,399 ghost phone cases recorded nationally in 2024, a share of 92.3 percent of all such cases, a figure that had already drawn regulatory scrutiny before this case concluded. The syndicate hacked more than 10 such portals during Phase 2 and used them to open SIM cards across 92 stolen identities, with 122 cards registered in total because some victims had multiple fraudulent lines opened in their names. Their operation was not an anomaly in Korea’s fraud landscape; it was a concentrated version of a documented, systemic gap in the budget-carrier authentication stack that investigators and regulators alike had recognized for years.
The context stretches wider. In April 2025, attackers infiltrated SK Telecom’s network and exfiltrated over nine gigabytes of SIM-related authentication data tied to approximately 25 million subscribers, including customers of SKT’s MVNO partners. South Korea’s Personal Information Protection Commission later imposed a record fine of 134.8 billion won on the carrier, citing basic security failures. The two cases share no direct operational link. Both point to the same underlying layer: a mobile authentication infrastructure that has proven, in separate major incidents, easier to breach than the financial and identity systems built on top of it.
Targets Selected for Silence
The syndicate’s victim list was not assembled at random. Police said the group specifically sought individuals whose financial losses were unlikely to be detected quickly or reported promptly, a selection criterion that extended the gap between each successful theft and any institutional response.
- Military conscripts completing mandatory service, with limited civilian phone access and reduced account oversight. Jungkook entered his service in December 2023 and was targeted the following month.
- Prisoners, whose communication rights are restricted and whose financial monitoring is typically delegated to others.
- Deceased individuals, whose accounts may remain unmonitored for extended periods after death.
- High-ranking corporate executives, whose financial activity is often managed by assistants or third parties, delaying direct personal detection of irregularities.
- Cryptocurrency investors, who face less standardized institutional transaction monitoring than holders of conventional bank accounts.
Among confirmed victims were 10 senior corporate executives, three celebrities and influencers, three cryptocurrency investors, and three individuals connected to companies in Korea’s top 100 conglomerates. The overlap between the stated targeting logic and the confirmed victim profile was near-complete, suggesting the selection criteria held up in practice across nearly four years of operation.
The attempt on HYBE shares associated with Jungkook illustrates the ceiling the group set for itself. An 8.4 billion won position in a single transaction required advance preparation of account credentials and a window when the account’s legitimate owner had limited ability to monitor or respond. That the attempt failed came down to real-time detection at financial institutions and Big Hit Music’s prompt account freeze, not any structural difficulty in executing the attempt.
Of 271 targeted individuals, 28 were successfully defrauded. Against a curated list of financially prominent Koreans, that conversion rate reflects selection precision as much as technical capability.
What the Numbers Say About Recovery
Police froze accounts containing 12.8 billion won during the active investigation. Through a combination of payment holds, suspicious-transaction detection at financial institutions, and Interpol coordination in tracing criminal proceeds held overseas, the Seoul Metropolitan Police Agency ultimately returned approximately 21.3 billion won to victims across the case.
- 73.4 billion won — total assets the syndicate targeted across both operational phases
- 25 billion won — value of attempted thefts stopped before funds were transferred
- 12.8 billion won — frozen in accounts during the investigation
- 21.3 billion won — returned to victims through payment freezes and transaction detection
Recovery in Phase 1 was harder to execute. The four SIM-cloning victims lost 8.9 billion won primarily in cryptocurrency, where the absence of a traditional financial intermediary and the pseudonymous structure of blockchain transactions make asset tracing and seizure significantly more complex than with conventional bank transfers. By the time law enforcement flagged the on-chain movements, most of those funds had already been converted or moved across multiple wallets.
Overall, victims absorbed net losses of approximately 27.1 billion won after recoveries. Distribution was sharply unequal: the largest single victim’s loss equaled the total amount recovered for all 28 defrauded victims combined, meaning the headline recovery figure conceals how unevenly the damage fell across individual cases.
Korea’s Authentication Overhaul
Korea’s Ministry of Science and ICT required all three major carriers (SK Telecom, KT, and LG Uplus) and all MVNOs to apply facial authentication to both in-person and non-face-to-face mobile activations, comparing an applicant’s ID photo against a real-time facial image at the point of signup. A pilot launched December 23 with full implementation formally targeted for March 23. On March 20, the Ministry of Science and ICT extended the pilot through June 30 after carriers, the budget phone association, and the mobile distribution association jointly requested at least three additional months, citing the need for supplementary operational guidance to prevent on-site confusion. Under the current rules, if facial authentication fails, activation may still proceed under exception conditions, a carve-out intended to accommodate older users unfamiliar with digital verification but one that creates a secondary path into the activation flow.
Prosecutors receive the case Friday. The same industry stakeholders whose platforms the syndicate spent two years exploiting were the ones who asked for more time to fully close that gap. If the mandate tightens as the extended pilot matures and exceptions contract rather than expand, the non-face-to-face activation channel behind Phase 2 losses becomes structurally harder for a successor group to replicate at scale. If industry requests continue to push the enforcement timeline out, the same door stays open longer than anyone intends.
Leave a Comment