BTS Hackers Nabbed: South Korea Extradites Alleged Leader of a Vishing Ring
The Ministry of Justice of South Korea has announced the extradition of a suspected leader of a transnational hacking group — a 34-year-old Chinese national wanted for a series of high-profile thefts targeting wealthy and prominent South Korean citizens, including BTS member Jeon Jungkook. According to officials, the suspect was flown out of Bangkok in the early hours of August 22 and handed over to South Korean authorities at Incheon International Airport.
Investigators allege that between August 2023 and January 2024, the group infiltrated the websites of telecommunications operators and other online services to harvest personal data, which was then used to register mobile numbers in the names of their victims. This method provided access to two-factor authentication and alerts from banking and cryptocurrency platforms, enabling the transfer of funds and digital assets to accounts under their control. The total damage is estimated at 380 billion won (approximately $274 million), with victims including celebrities, prominent entrepreneurs, and senior executives of technology companies. Among them was Jeon Jungkook: following his enlistment in January 2024, the attackers attempted to liquidate 33,500 shares of HYBE, valued at nearly 8.4 billion won ($6 million). However, his agency successfully blocked the transactions, preventing any financial loss.
The suspect’s capture and extradition followed a carefully orchestrated process. In the spring of 2025, authorities learned of his entry into Thailand and secured his immediate detention through an “urgent extradition arrest” — a legal mechanism in South Korea that permits temporary custody of a suspect while formal extradition documents are prepared. Following his arrest, both countries coordinated the terms of transfer, with South Korea dispatching prosecutors and investigators to Thailand. Four months later, the handover was completed, and the suspect was flown to Seoul.
Officials emphasized that the investigation was conducted in coordination with Interpol, whose notification system and identity-verification tools were critical in handling cases involving forged documents and identity theft. While no technical details of the hacking campaign have yet been disclosed, the described methodology aligns with classic vishing tactics — telephone-based social engineering involving SIM swapping, impersonation of customer support agents, and interception of one-time security codes.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
