SKT SIM Breach: Why Changing Your SIM Doesn’t End the Attack

You replaced your SIM card. So why are you still vulnerable?

Following SK Telecom’s mass data breach in April 2025, millions of users responded to the company’s guidance: swap out their old SIM cards for new ones, free of charge. The rationale was simple—by replacing the compromised USIM, the cryptographic keys used to authenticate users on mobile networks would be invalidated. Problem solved, right?

Not quite.

While a new SIM card may break the direct link to a stolen Ki (authentication key), the breach exposed more than just SIM-level credentials. It leaked immutable network identifiers such as IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity), as well as associated session tokens and potentially app-level credentials. These elements, once exfiltrated, can be exploited long after the SIM card itself has been replaced—sometimes without any direct interaction with the user.

What Hackers Really Took from SK Telecom

At first glance, the SK Telecom breach may appear to be a case of compromised user credentials, similar to email-password leaks or social security number theft. In reality, what was exposed was far more fundamental: the identifiers and cryptographic keys that form the bedrock of mobile network trust.

Foremost among these was the IMSI, or International Mobile Subscriber Identity. This globally unique identifier is used by cellular networks to recognize and authenticate a user’s SIM card. Unlike usernames or passwords, IMSIs are hard-coded into SIM cards and often reused across network generations. Once an IMSI is exposed, it can be targeted by rogue base stations (IMSI catchers), used for passive surveillance, or replayed during authentication handshakes to impersonate a device.

The breach also reportedly included Ki, the authentication key that resides in both the SIM card and the telecom operator’s Authentication Center (AuC). This key is never supposed to be transmitted or exposed—even the network itself doesn't see it directly. Instead, both ends use the Ki to compute and verify cryptographic challenges (via algorithms like Milenage) during the authentication process. If a threat actor obtains the Ki, they can replicate a user’s SIM on a programmable card and gain full access to the mobile network on behalf of the user. This enables SIM cloning, 2FA interception, call and SMS hijacking, and impersonation attacks across systems that trust telecom-based authentication.

Equally critical is the IMEI, the International Mobile Equipment Identity. While not secret, this identifier uniquely ties a SIM to a physical device. Once leaked, the IMEI can be spoofed by attackers to impersonate a user’s device, bypass certain forms of device verification, or defeat application-layer integrity checks.

In many breach scenarios, stolen usernames or passwords can be reset. But identifiers like the IMSI and IMEI are tied directly to hardware and device identity—they are far more difficult to change. The Ki, meanwhile, is cryptographically sacred: once leaked, it breaks the very assumption of trust between the user and the telecom provider.

The implication is stark: the data stolen in the SKT breach wasn’t just sensitive—it was structural. These identifiers operate deep within the mobile authentication stack, and once compromised, they create long-term security exposure that no SIM replacement alone can fully eliminate.

How Hackers Can Still Attack After SIM Replacement

Replacing a SIM card may seem like a definitive way to cut off access to leaked credentials, but in reality, it addresses only a part of the threat surface. For attackers who have already acquired authentication data from SK Telecom’s breach—such as IMSI, Ki, and IMEI—multiple advanced attack vectors remain viable, even after a new SIM has been issued.

One of the most critical post-replacement risks lies in SIM cloning. If an attacker possesses both the IMSI and the corresponding Ki—a cryptographic key used during the authentication process—they can generate a fully functional clone of the victim’s SIM using programmable hardware. This cloned SIM can then be inserted into a rogue device, which will be recognized by the telecom network as legitimate. Through this, attackers can intercept SMS-based two-factor authentication codes, hijack voice calls, and gain unauthorized access to mobile data or services that rely on phone number verification. Because this happens at the network authentication layer, application-level defenses may never even detect the intrusion.

More sophisticated adversaries may opt for network-layer impersonation. By deploying a rogue LTE base station—commonly referred to as a fake eNodeB—using software-defined radio tools, attackers can lure nearby mobile devices into connecting to their system. If they have access to the user's IMSI, they can spoof legitimate network behavior, intercept authentication requests, and even inject manipulated signaling messages into the core telecom infrastructure. This type of attack enables man-in-the-middle interception of real-time authentication traffic, possibly overriding the protections offered by a new SIM card.

Even the IMEI, often dismissed as a non-sensitive identifier, can become a powerful vector in the hands of a skilled attacker. With access to rooted Android devices or specialized spoofing tools, an adversary can emulate the victim’s original device fingerprint, including its IMEI, OS version, and app environment. Many apps use this kind of fingerprinting as a weak layer of security—one that can now be bypassed entirely. In doing so, the attacker can appear as a trusted device and bypass reauthentication procedures, logging into the victim’s applications without raising alarms.

At the application layer, previously stolen access tokens and session credentials also remain dangerous. Attackers who harvested these tokens—whether through malware, man-in-the-middle attacks, or packet injection—can replay them even after the user has replaced their SIM. In practice, many mobile apps do not force session invalidation upon SIM replacement. As long as the bearer token remains valid, the attacker retains access to sensitive user data and services.

Finally, the most persistent threats come from devices that were already compromised before the SIM replacement occurred. Malware embedded in a user’s phone can remain active and continue to harvest data, even after a new SIM is installed. In some cases, these malicious applications can silently forward incoming SMS messages, capture authentication codes, or initiate transactions. This kind of persistence highlights the danger of focusing on SIM credentials alone, while overlooking the broader context of device and application security.

Taken together, these scenarios demonstrate that SIM replacement is not a silver bullet. When attackers gain access to foundational network credentials and device identifiers, they often acquire more than just temporary entry—they gain the means to persist, adapt, and re-infiltrate. Without layered defenses and real-time detection capabilities, users remain at risk long after the compromised SIM is physically removed.

Why Telecom Operators Can’t Detect These Threats—Yet

While telecom providers operate the infrastructure that underpins mobile identity, they are not always equipped to detect or disrupt advanced threat scenarios that unfold after a breach—especially when the attack vectors extend beyond their traditional monitoring scope.

In theory, certain types of anomalous behavior can be detected at the network level. For instance, when a cloned SIM card attempts to authenticate using the same IMSI from multiple geographic locations within a short time frame, telecom systems may flag this as a conflict. Some networks also implement SQN (sequence number) synchronization checks during the AKA (Authentication and Key Agreement) process, which can signal inconsistencies between a legitimate SIM and a cloned one. However, in practice, many networks are not configured for real-time cross-site correlation of authentication anomalies. Attackers often exploit this gap by operating in regions or times where detection is least likely.

Detection becomes even more difficult when it comes to attacks involving fake base stations or signaling manipulation. Rogue eNodeBs can operate at low power, target small areas, and selectively filter for known IMSIs, making them difficult to detect using traditional radio frequency monitoring tools. While some telecoms deploy RF sensors or rely on external intelligence feeds to identify rogue base stations, these measures are typically limited to high-security or urban areas and are not part of standard nationwide infrastructure.

As for IMEI spoofing and application-layer impersonation, telecom operators have virtually no visibility. Once authentication has passed through the network layer, session management and device verification fall squarely into the domain of application providers. Unless a telecom has deployed sophisticated cross-layer threat intelligence systems—linking network activity with application behaviors—it cannot determine whether a spoofed device is impersonating a legitimate user.

Session replay and token abuse also lie outside the telecom’s line of sight. These attacks target the back-end APIs and security models of banks, government services, and digital platforms that rely on telecom-authenticated sessions. Unless these services proactively revalidate sessions upon SIM replacement or implement behavioral biometrics and device reputation scoring, the telecom provider has no role—or ability—to intervene.

In reality, even major telecom operators lack the telemetry, cross-system integration, and legal authority to detect and respond to most post-SIM swap attacks. Threat actors know this and design their campaigns accordingly: targeting systemic gaps between what telecoms secure, what app developers assume, and what users understand.

What’s needed is not just better SIM lifecycle management, but a shift toward multi-layered detection architectures that bridge the divide between the SIM, the device, and the services that depend on them. Until then, telecom providers will remain blind to the most sophisticated attacks exploiting the very identities they were meant to protect.

How to Fix Telecom Security After a Breach

The persistence of risk after a SIM replacement underscores a broader truth: protecting mobile identity requires more than managing physical credentials. It demands a layered, integrated security architecture that spans the network core, the device environment, and the services built atop them. In the wake of the SKT breach, several countermeasures can—and should—be considered to mitigate both current and future threats.

At the telecom level, networks must evolve beyond static authentication and embrace anomaly-aware verification systems. For example, implementing real-time behavioral analytics during authentication can help detect cloned SIM activity by comparing geolocation patterns, signal timing, and device fingerprints. While technologies like EPS-AKA and 5G-AKA support such extensions, most carriers do not actively correlate IMSI authentication requests with contextual data. Integrating ML-driven anomaly detection engines into the HSS or AUSF layers would allow carriers to identify and quarantine suspicious authentication attempts before full network access is granted.

In parallel, telecoms should deploy systems that allow for credential revocation beyond the SIM. A compromised Ki should automatically trigger the invalidation of associated IMSI records, and the user should be assigned a new IMSI alongside a new SIM—a process that few operators currently offer at scale. Additionally, the inclusion of hardware-based attestation frameworks, such as Trusted Execution Environments (TEE) or eSIM security modules, would significantly reduce the feasibility of SIM cloning and spoofing attacks by binding credentials to physical hardware.

At the application level, services that depend on telecom-based identity—especially in finance, healthcare, and government—must move toward cryptographically bound device authentication, rather than implicit trust in phone numbers or SMS. OAuth tokens, for instance, should be short-lived and tightly coupled with verifiable device properties. Reauthentication should be mandatory upon SIM swap detection, and session hijacking risks must be mitigated with device integrity checks and telemetry-based risk scoring.

On a broader architectural level, the current separation between telecom providers and service platforms presents a structural vulnerability. A more resilient model would involve shared threat intelligence layers, enabling real-time alerts between carriers and app providers. If a telecom detects abnormal IMSI behavior, for example, downstream services should be notified and able to adjust session permissions or prompt for secondary verification.

Finally, policy frameworks must evolve to support this paradigm shift. Current telecom regulations often define “user protection” as the preservation of service continuity—not the active detection or disruption of malicious identity misuse. Regulators should mandate cross-layer authentication logging, anomaly transparency reporting, and post-breach system audits. Most importantly, legal provisions must expand the definition of sensitive information to include not just names and national IDs, but also identifiers like IMSI, IMEI, and Ki—data which, once compromised, can silently enable long-term impersonation.

The SKT breach has revealed how much of modern digital security depends on telecom-layer trust. But trust, once broken, cannot be repaired with a new SIM alone. It must be rebuilt through better design, stronger detection, and smarter coordination across every layer of the ecosystem.