Authorities in South Korea have arrested a total of 16 individuals suspected of abusing the personal details of millions of people to earn large amounts of money.
According to the Korea JoongAng Daily, one of the suspects is a 24-year-old man surnamed Kim who is said to have received 220 million pieces of personal information belonging to 27 million South Korean nationals aged between 15 and 65 from a Chinese hacker. With a total population of roughly 50 million, the figure reportedly represents 72% of people between the ages 15 and 65.
The South Jeolla Provincial Police Agency reported that Kim used the information, which included names, account credentials and resident registration numbers (the South Korean equivalent of SSNs), to steal gaming currency worth 400 million won (roughly $400,000) from the players of six online games. The man gave approximately one thirds of the profit to the Chinese hacker.
Kim is also believed to have sold the information to others, including mortgage fraudsters and illegal gambling advertisers who used it to make millions of dollars.
In addition to the 16 people that have already been arrested and the Chinese hacker, police have six other suspects in the case.
Adam Kujawa, head of malware intelligence at Malwarebytes, believes such incidents can be avoided if online games use two-factor authentication to protect players’ accounts.
“Online gaming is a huge industry and pastime in South Korea. The country treats its professional gamers like rock stars, on the same level as professional athletes. In turn, some of the best gamers in the world are from South Korea. So it’s not a big surprise when one of the biggest attacks against the population is part due to — and a main target of — the attackers,” Kujawa told SecurityWeek.
“‘Kim’ clearly had an idea of what he was doing when he decided that — after victimizing the gaming community — he would try to unload the credentials by selling them to scammers, however his biggest mistake was most likely either that of pride and/or misplaced trust,” the expert added. “His arrest was no doubt either because one of his associates decided to brag about the attack or otherwise failed to ensure their communications were secure when speaking about the attack and therefore gave the authorities a way in. This is the most common way that cyber criminals get caught worldwide.”
Back in January, state regulators in South Korea revealed that the details of at least 20 million bank and credit card users were sold by an employee of the personal credit ratings firm Korea Credit Bureau (KCB) to phone marketing companies.