How South Korea Became the Epicenter of Cyberattacks in 2025

In the spring of 2025, South Korea’s telecommunications backbone was quietly breached. Attackers moved laterally through a VPN appliance, planted custom backdoors, and reached the Home Subscriber Server — the central database that authenticates millions of SIM cards. For weeks, the intrusion remained undetected. When investigators finally disclosed the scope, they confirmed that identifiers tied to tens of millions of subscribers had been siphoned out, raising the specter of SIM cloning and mass identity hijacking.

It was the opening act of what became a relentless cascade. In June, ransomware encrypted the servers of YES24, the country’s largest online bookstore and ticketing platform, forcing a multi-day shutdown. In July, Seoul Guarantee Insurance faced a ransomware strike coupled with claims of terabytes exfiltrated from its Oracle databases. August brought an even stranger vector: counterfeit base stations placed in Seoul neighborhoods intercepted phone identifiers and hijacked one-time voice authentication codes, draining funds from hundreds of KT subscribers. By September, Lotte Card confirmed that nearly three million customers’ payment details had been stolen, including full card numbers, expiration dates, and CVC codes.

Within six months, every layer of South Korea’s digital economy had been compromised: mobile carriers, financial institutions, and online retail. The incidents were not isolated. They exposed systemic weaknesses across network segmentation, authentication design, and data handling, and they underscored how attackers—ranging from state-linked espionage units to opportunistic ransomware crews—identified Korea as a high-yield target.

This investigation reconstructs the technical anatomy of each breach, traces the actors behind them, and examines why one of the world’s most digitally connected societies became the epicenter of cyberattacks in 2025.

SK Telecom: A Core Network Breach

The most alarming incident came first. In early April, SK Telecom discovered that intruders had been inside its network for weeks, possibly months. The breach was traced to a vulnerable VPN appliance that had not been patched against known exploits. From there, attackers installed custom malware, including the backdoor tool BPFdoor, and multiple webshells that allowed them to maintain persistent access.

What they reached was the Home Subscriber Server (HSS), the database that authenticates mobile devices across the network. Investigators found evidence that identifiers such as IMSI numbers—the unique codes tied to SIM cards—had been exfiltrated in bulk. Security officials warned that if paired with other keys, the data could enable SIM cloning or interception of text-message verification codes, a linchpin of mobile banking and identity checks in South Korea.

The breach was extraordinary because it went beyond customer records or billing databases. It struck the authentication core of the telecom infrastructure itself. Experts described it as a rare case of a carrier’s “crown jewel” being compromised—an attack more often associated with state-sponsored espionage than with profit-driven cybercrime. The discovery also raised uncomfortable questions about monitoring: the exfiltration was carried out in small packets over long periods, suggesting that detection systems inside one of the nation’s largest telecom providers were not calibrated to catch “low and slow” data theft.

YES24: Ransomware Strikes Twice

Two months after the telecom breach, attackers turned their attention to Korea’s largest online bookstore and ticketing platform. On June 9, YES24’s servers were encrypted by ransomware, forcing the company to shut down operations for nearly five days. Customers found they could not buy books or secure tickets, while staff scrambled to restore systems from backups that proved incomplete.

What followed was even more troubling. In August, barely two months after recovery, YES24 was hit again. Attackers re-entered through what investigators believe was a lingering vulnerability in the company’s remote access systems or web servers. This time the disruption lasted only hours, but the speed of the second intrusion highlighted deeper weaknesses. Backup architecture had not been rebuilt, patching remained inconsistent, and forensic follow-up from the first incident failed to close every door.

Security analysts described the back-to-back incidents as a classic case of “re-entry,” where the same group or affiliates return to exploit unpatched systems. The pattern pointed to ransomware-as-a-service (RaaS) groups operating out of Eastern Europe or Russia, which sell or lease toolkits to criminal affiliates worldwide. The initial ransom negotiations were never confirmed publicly, but industry sources said bitcoin transfers were likely involved after the first strike.

The double hit exposed how a lack of immutable, off-site backups and thorough post-breach remediation can leave a company open to repeated extortion. It also demonstrated that attackers saw South Korean online platforms as both profitable and underprepared, willing to pay for speed of recovery in a market where downtime translates directly into lost revenue.

SGI Seoul Guarantee: Extortion Meets a Technical Breakthrough

In July, the country’s largest guarantor of loans and sureties, SGI Seoul Guarantee, was hit with a ransomware attack that paralyzed parts of its systems. The intrusion vector was traced to the company’s SSL-VPN gateway, where accounts lacked multi-factor authentication and brute-force protections. Once inside, attackers moved laterally, gaining access to internal Oracle databases.

The attackers, identifying themselves under the name “Gunra,” claimed to have stolen up to 13 terabytes of data. The figure was never independently verified, and SGI publicly disputed the claim. Still, the threat was clear: a double-extortion scheme in which data is both encrypted and exfiltrated, with attackers demanding payment to restore access and suppress leaks.

What made this case stand out was the response. Analysts at the Financial Security Institute, a quasi-governmental body, were able to study the ransomware sample in depth and extract a working decryption key. SGI recovered its systems without paying a ransom—an outcome rarely seen in modern ransomware cases. Security specialists noted that the decryption breakthrough likely exploited a flaw in the attackers’ cryptographic implementation, underscoring the uneven sophistication of newer ransomware groups.

Even so, the attack underscored persistent weaknesses in Korea’s financial sector. VPN gateways remained a common entry point, multi-factor authentication was not uniformly enforced, and system monitoring failed to detect large-scale database access until after the damage was done. SGI avoided a direct ransom payment, but the incident exposed systemic vulnerabilities that attackers will continue to probe.

KT: Fraud Through the Airwaves

By late summer, the attacks moved back into the telecom sector, this time in an unfamiliar form. In August, investigators discovered that counterfeit base stations—small, unauthorized femtocell devices—had been deployed in parts of Seoul. These devices, designed to mimic legitimate cell towers, forced nearby phones to connect and quietly harvested identifiers such as IMSI and IMEI numbers, along with subscriber phone numbers.

The operation went further than passive data collection. Attackers used the intercepted identifiers to hijack one-time authentication calls, known as ARS verification, that underpin Korea’s micro-payment systems. Victims were charged for fraudulent transactions routed through mobile billing, with losses totaling about ₩240 million. Roughly 20,000 subscribers passed through the range of the fake stations, and 362 saw their accounts drained.

Technically, the breach was striking because it bypassed traditional digital defenses altogether. Instead of breaking into servers or databases, attackers manipulated the wireless layer itself—an area long assumed to be secure in everyday urban environments. The ARS system, which relies heavily on a single channel of trust between phone and network, proved dangerously exposed.

Police later arrested several suspects, including Chinese nationals, linking the case to transnational fraud rings. Security experts warned that the attack served as a proof of concept: with off-the-shelf femtocells and modest technical know-how, criminals could weaponize telecom infrastructure itself to monetize identity and payment flows.

For KT, the breach forced a reassessment of how authentication is secured. Reliance on ARS calls, once seen as a convenient standard, was suddenly framed as a structural liability. The episode also highlighted the absence of systematic monitoring for rogue base stations, a gap that regulators and carriers are now under pressure to close.

Lotte Card: Payment Data in the Open

The crescendo came in September, when Lotte Card confirmed that nearly three million customer records had been stolen. Among them, 280,000 cases were particularly severe: not just names and account numbers but full card details, including expiration dates, CVC codes, and portions of PINs. In terms of direct fraud potential, it was the most dangerous breach of the year.

The attack began in mid-August, when hackers compromised a web server and planted a webshell. Instead of siphoning data in large batches that might trigger alarms, they exfiltrated files in fragments of a few hundred megabytes at a time. Over the course of weeks, more than 200 gigabytes were quietly transferred out. The technique—known as “low and slow” exfiltration—proved effective against the company’s anomaly detection systems, which were tuned to catch large-volume transfers.

Forensic reviews also revealed a deeper failure: payment credentials that should never have been stored in full were kept in databases without adequate tokenization or irreversible encryption. Industry guidelines discourage storing CVC codes at all, yet they were found in plaintext alongside partial PIN values. This meant that once data left the perimeter, criminals possessed everything required to perform online “card-not-present” transactions.

The breach went undetected for nearly three weeks. When the company finally disclosed the incident, regulators questioned not only its security architecture but also its reporting practices. Critics argued that the delay allowed attackers to sell or distribute the stolen datasets on underground markets before affected consumers could react.

More than any other case, Lotte Card’s breach illustrated how a single weak link in data governance—storing sensitive payment information improperly—can magnify the impact of an intrusion. It also showed that Korea’s financial institutions, despite long exposure to digital payments, had not adopted the full range of protections now standard in Europe and parts of the United States.

A System Exposed

By the end of September, it was clear that the breaches were not isolated accidents but symptoms of a deeper malaise in South Korea’s digital infrastructure. Each case had its own entry point and its own style of attack, yet together they traced a pattern of neglect that cut across industries. Telecom operators, financial institutions, and online retailers all carried the same blind spots, and attackers exploited them in rapid succession.

One recurring weakness lay in the gateways that connect internal systems to the outside world. At both SK Telecom and Seoul Guarantee Insurance, attackers began with outdated VPN appliances. These devices had known vulnerabilities that had circulated in underground forums for months, but patch cycles lagged and multi-factor authentication was missing. Once inside, intruders faced little resistance moving deeper. What they found at SK Telecom was the crown jewel of any carrier: the Home Subscriber Server, where the identity of every SIM card is validated. For SGI, the path led to Oracle databases containing vast amounts of client information. In both cases, the failure to harden a single device opened the door to the most sensitive assets a company possessed.

Segmentation—the principle of cordoning off critical systems so that a single intrusion cannot spread—was also lacking. At Lotte Card, payment databases were not only accessible from compromised servers but were storing data that should never have been retained in the first place. Card numbers were linked with expiration dates, CVC codes, and even fragments of PINs. Security researchers described the practice as a relic from the 1990s, when storage costs and compliance regimes were looser. In 2025, it meant that once the attackers had gained access, the information they stole was immediately usable for fraud.

Detection systems, too, were behind the curve. Instead of hauling data out in massive transfers that would have triggered alarms, attackers at SK Telecom and Lotte Card siphoned files in tiny fragments over long periods. Security platforms designed to spot sudden spikes in outbound traffic never flagged the “low and slow” trickle. The failures were not of technology alone but of configuration and vigilance. Analysts say the tools existed to catch such anomalies, but the rulesets were not tuned to match the sophistication of current attackers.

Even more troubling was the exposure of South Korea’s reliance on phone-based authentication. The KT case showed that identity verification systems built around ARS calls could be hijacked simply by manipulating the airwaves. Counterfeit base stations, purchased cheaply on the grey market, forced phones to connect and revealed subscriber identifiers. With those numbers in hand, criminals rerouted one-time passcodes intended for victims. In a country where small payments are often charged directly through mobile carriers, it created a direct line from telecom weaknesses to financial fraud. The incident dismantled a long-held assumption: that the wireless layer was safe from manipulation.

The actors behind the wave were varied. Forensic clues in the SK Telecom breach pointed to Chinese-linked espionage groups, interested less in money than in surveillance data. YES24 bore the fingerprints of ransomware-as-a-service crews from Eastern Europe, professional extortionists who had learned to monetize downtime. SGI’s ordeal came at the hands of a new and less skilled ransomware outfit, Gunra, which nonetheless managed to paralyze operations. KT’s attackers were traced to Chinese fraud rings, some members of which were later arrested in Seoul. And the Lotte Card breach, though unattributed, displayed the patience and discipline of organized data-theft syndicates. The diversity of motives—espionage, extortion, fraud—underscored a sobering truth: South Korea was not facing one enemy but many, drawn for different reasons to the same vulnerable terrain.

What made Korea so attractive in 2025 was not simply its wealth or its technology but the combination of the two. Few countries have embraced cashless living as fully, with more than half of all card transactions now processed through mobile devices. Few societies depend so heavily on a handful of telecom operators for both communication and identity verification. And few markets generate the sheer volume of digital transactions—trillions of won every day—that guarantee a payoff once defenses are breached. Add to that the persistence of legacy equipment, lax patching, and incomplete encryption practices, and the country became a “perfect return on investment” for attackers of every kind.

The wave of breaches did not come out of nowhere. It was the inevitable release of pressure that had been building for years, as technical debt piled up inside core systems and regulatory oversight focused more on punishment after the fact than on prevention before it. The year 2025 will be remembered not as the moment South Korea was suddenly targeted, but as the moment when long-standing vulnerabilities were finally exploited in full view.

The Cost of Digital Density

What unfolded in 2025 was not simply a string of embarrassing lapses. It was the collision of two defining traits of South Korea’s digital economy: its density and its centralization. The same factors that made Korea a leader in mobile connectivity—ubiquitous smartphones, seamless payments, and near-universal reliance on telecom carriers for identity—also created an attack surface where one breach could cascade into nationwide risk.

The technical evidence shows that attackers understood this dynamic better than the defenders. The exfiltration techniques used at SK Telecom and Lotte Card were designed precisely to evade anomaly detection thresholds tuned for different eras. The counterfeit base stations that struck KT revealed how trust in a single authentication channel could be inverted into a revenue stream for fraudsters. Ransomware groups betting on weak backup discipline at YES24 and SGI were rewarded with days of downtime, even when they failed to secure payment. In each case, attackers did not need extraordinary innovation; they needed only to exploit the assumptions that South Korean institutions had baked into their systems.

The legal and regulatory framework, while moving toward heavier fines and broader oversight, lagged behind the threat curve. The record-setting penalty imposed on SK Telecom was unprecedented, yet it came only after identifiers tied to tens of millions of subscribers had already leaked. Privacy commissioners and financial regulators can punish, but without continuous inspection rights and enforceable standards—on encryption, patch cycles, authentication practices—sanctions arrive too late to prevent damage. In effect, South Korea had built a punitive regime without a preventive one.

Globally, the country now stands as a case study in how digital leadership can breed vulnerability. Unlike Europe, where the GDPR’s 72-hour reporting rule forces immediate transparency, or the United States, where litigation risk compels companies to over-invest in defensive measures, South Korea trusted in the resilience of its own corporations. That trust was misplaced. The breaches revealed not only weak technical hygiene but also cultural and institutional blind spots: an emphasis on innovation over security, on service continuity over architectural resilience, and on post-crisis management over anticipation.

The lesson is not that Korea should retreat from its digital intensity. That intensity is irreversible, and it is the foundation of its economic model. The lesson is that high-density digital societies require a different order of defense—one that treats telecom identity databases, payment gateways, and authentication channels as critical infrastructure on par with power grids and water systems. Anything less will continue to leave them exposed to espionage, extortion, and fraud.

The breaches of 2025 should therefore be seen not as isolated disasters but as a national warning signal. They showed that South Korea’s digital fabric can be unraveled through gaps in its own stitching, and that the adversaries watching it are many, varied, and persistent. The question is whether policymakers and corporations will treat this year as an aberration, or as the turning point that forces a structural rethinking of how security is built into the nation’s digital core.