South Korea SIM Fraud Ring Targeted Prisoners, Soldiers, and the Dead

South Korean police on Thursday announced the arrest of the second and final suspected ringleader of a hacking syndicate that stole 48.4 billion won ($31.9 million) from 28 people while targeting 271 in total, closing an investigation that mobilized 55 detectives across nearly four years. The suspect, a 40-year-old Chinese national, was extradited from Bangkok to Incheon International Airport on May 13 and faces 18 charges, including computer fraud and violations of South Korea’s communications privacy law. He is expected to be formally referred to prosecutors by May 22.

The BTS vocalist Jungkook’s name attached to this case early, and that is where most reporting landed. His brokerage account was frozen before any transfer cleared, and he lost nothing. The victims who actually lost money were chosen for a very different reason: corporate executives with large, illiquid positions; prisoners who could not check a banking app; soldiers locked into mandatory military service; and, confirmed by investigators, people who had already died.

Two Phases, Four Years, 48 Billion Won

The syndicate operated in two distinct technical phases, each abandoned only when its predecessor became too costly to sustain. Police described the evolution as a direct response to carrier security countermeasures, not an unplanned pivot.

The first phase, SIM cloning, began in May 2022. Investigators found that the group had copied the unique authentication credentials of 13 victims from their subscriber identity module (SIM) cards onto blank replacements, producing what police call “twin SIMs.” With a duplicate card, any one-time password or SMS verification text sent to the legitimate account holder arrives instead on the fraudulent copy. Four victims lost 8.9 billion won in cryptocurrency before telecom providers updated their authentication logic enough to make cloning impractical.

So the operation changed course. From July 2023 onward, overlapping the final months of the cloning phase, the group pivoted to hacking the online activation portals of budget mobile carriers directly. That shift was far more productive, and the losses in the second phase are more than four times those of the first.

• 48.4 billion won ($31.9M) stolen from 28 confirmed victims out of 271 targeted
• 271 individuals in the crosshairs; fewer than one in nine was successfully defrauded
• 8.9 billion won in Phase 1 cryptocurrency losses across four victims
• 39.5 billion won extracted in Phase 2 via fraudulent SIM activations; a further 25 billion won theft attempt was blocked

The Silence-First Target List

The syndicate’s victim selection was organized around a single practical question: how long before this person notices? Investigators at the Seoul Metropolitan Police Agency’s Cyber Investigation Unit described the group as deliberately choosing individuals whose losses were unlikely to be detected or addressed promptly. Celebrities and executives appeared on the list not because of notoriety but because their accounts held large balances that could be moved in single transactions.

The less-discussed categories were the more deliberate ones. Prisoners cannot access a smartphone. Soldiers serving mandatory conscription have limited time with personal devices. Deceased individuals leave accounts that surviving family members may not actively monitor. Police confirmed all three as intentional targeting categories alongside the executives and influencers, not incidental additions to the victim roster.

Among the 28 confirmed victims, investigators identified 10 high-ranking corporate executives, three celebrities and influencers, and three cryptocurrency investors. Three more were connected to companies within South Korea’s top 100 conglomerates. The losses fell sharply unequal: one victim alone accounted for 21.3 billion won, nearly half the total confirmed losses, in what prosecutors described as the case’s most destructive single incident.

That distribution reveals the scheme’s internal logic. Scale comes from targets with large accounts. Operational safety comes from targets who cannot fight back fast. The syndicate optimized for both simultaneously, which is why the confirmed victim list includes conglomerate executives alongside prisoners and the deceased.

• 10 senior corporate executives at major Korean companies
• 3 celebrities and social media influencers
• 3 cryptocurrency investors
• Individuals linked to 3 companies within South Korea’s top 100 conglomerates
• Active-duty military service members under mandatory conscription
• Incarcerated individuals and, in confirmed cases, deceased persons

Budget Carriers as the Weak Link

Phase One: Copying the SIM

SIM cloning did not require physical access to a victim’s handset. The group harvested authentication credentials through breaches of public and private digital platforms, then transferred those credentials to blank SIM cards obtained separately. From a carrier’s perspective, the cloned card is indistinguishable from the original; it presents identical authentication data and passes the same network identity checks.

Thirteen victims had their SIM credentials compromised this way. When carriers eventually tightened their protocols and cloning became unworkable, the group did not stop. It looked for the next exploitable gap in the same identity infrastructure, and the budget carrier activation portals were it.

Phase Two: Hacking the Portal

Mobile virtual network operators (MVNOs, carriers that lease network capacity from South Korea’s three major telecoms rather than operating their own towers) had built non-face-to-face activation systems as a customer convenience feature. A new subscriber could sign up entirely online by uploading a copy of an identity document, with no in-person appearance or biometric check required. The syndicate treated those portals as an entry point, not a friction point.

Investigators found that the group breached more than ten such portals between July 2023 and April 2025. Using identity data already exfiltrated from government agencies and financial platforms, they registered 122 SIM cards under the names of 92 real people. Those authenticated phone numbers cleared two-factor authentication at banks, brokerage accounts, and cryptocurrency exchanges. The group also breached more than ten separate public and private platforms to access the financial records of 195 individuals, feeding the pipeline with a continuous supply of fresh credentials.

The scale of the underlying structural failure became clear months after the arrests. Per National Police Agency data on ghost-phone cases, MVNOs accounted for 92.3 percent of all fraudulent phone registrations detected nationwide in 2024, totaling 89,927 of 97,399 reported incidents. The syndicate’s fraudulent activations were one criminal operation inside a much broader sector-wide vulnerability.

A School-Day Partnership Behind 32 Suspects

The two ringleaders had known each other since their school days, according to police. The first, a 36-year-old Chinese national, was operating out of Thailand when South Korean authorities obtained an emergency provisional arrest measure and extradited him to Seoul in August 2025; he was indicted the following month and remains on trial. The second, the 40-year-old now in custody after arriving at Incheon Airport on May 13, faces 18 charges. Both Chinese nationals ran their hacking operations from overseas bases, with the network spanning China and Thailand, before coordination with Interpol’s cybercrime division helped bring both extraditions to completion.

Below those two, 55 investigators tracked a 30-member support structure whose roles were deliberately compartmentalized: managers who processed stolen identity data, field operatives who executed SIM activations and financial transactions, and money-laundering specialists who moved funds across jurisdictions. The 30 additional members reportedly included unemployed individuals, self-employed workers, and university students. Police worked the case for three years and eleven months. Detection did not prevent Phase 2 from running; it only accelerated its end.

The ₩8.4 Billion HYBE Attempt, and the ₩21.3 Billion That Wasn’t Stopped

In January 2024, while Jungkook was completing mandatory military service, the syndicate accessed a securities account in his name and attempted to transfer 33,500 shares of HYBE, the entertainment company behind BTS. The shares were worth approximately 8.4 billion won at the time. BigHit Music, HYBE’s subsidiary label for Jungkook’s management, moved to freeze the account after authorities flagged the irregularity. No funds transferred.

The same investigation produced a very different result for the unnamed victim who lost 21.3 billion won in a single incident, the case’s largest individual loss. Police separately report recovering approximately an equivalent amount through suspicious-transaction detection systems at financial institutions, though whether that recovery was fully realized is not confirmed in publicly available filings. Investigators also froze accounts containing 12.8 billion won as the case developed.

This incident of bypassing the non-face-to-face authentication system is ‘unprecedented,’ and the vast sums accessed ‘could have easily led to an even bigger crime.’

Oh Gyu-sik, head of the Seoul Metropolitan Police Agency’s 2nd Cyber Investigation Unit, made that statement when an earlier phase of arrests was announced. The framing reflects how investigators read the case: not as a finished chapter, but as a demonstration of what becomes possible when authentication gaps exist at scale and credentials are already in circulation.

South Korea Closes the Loophole, for Now

South Korea’s Ministry of Science and ICT piloted a facial recognition requirement for new SIM registrations from December 23, 2025, and moved to full mandatory implementation on March 23, 2026. The policy now applies to all three major mobile carriers and every MVNO operating in the country. Under the system, a biometric match between a subscriber’s government-issued ID photo and a real-time facial scan must clear before any SIM is activated, whether the transaction is in-person or through an online portal.

The MVNO sector, responsible for 92.3 percent of all ghost-phone activations caught in 2024, faces the sharpest compliance obligations. Per the Ministry of Science and ICT’s December 2025 policy announcement, carriers that fail to apply the biometric check face accountability measures for repeated illegal activations. A separate investigation uncovered 11,000 ghost SIM cards registered through stolen foreign passport copies, causing an estimated 96 billion won in damages, confirming that the problem extended well beyond this one syndicate.

Police closed their statement on the case with an unusual admission: this was “a new type of crime that is difficult to find precedents globally.” The underlying mechanism is less novel. If identity credentials are already compromised at the database level and SIM activation requires no biometric gate, the combination is a ready-made account-takeover pipeline. The facial verification mandate closes the activation end of that pipeline, and has been in force since late March.

If the biometric rollout holds without new workarounds and MVNO operators apply the checks consistently, the non-face-to-face activation gap this syndicate exploited for nearly two years will be closed for good. But the government agencies and financial platforms that surrendered the identity credentials of 195 individuals to the group remain the open variable. The Ministry’s policy addresses one gate. The upstream breach problem that stocked the syndicate’s pipeline is still an unsettled question for Korean regulators.