South Korean authorities have successfully extradited a Chinese national suspected of orchestrating one of the most sophisticated hacking operations targeting high-profile individuals and financial institutions.
The 34-year-old suspect, identified only as Mr. G, was repatriated from Bangkok, Thailand, on August 22, 2025, following a four-month international manhunt that resulted in his arrest for allegedly stealing over 38 billion won (approximately $28.5 million) from victims’ financial and virtual asset accounts.
The criminal organization, operating from overseas offices primarily in Thailand, executed a complex multi-vector attack campaign spanning from August 2023 to January 2024.
The group’s primary methodology involved infiltrating mobile carrier websites and other web platforms to harvest personal information from wealthy individuals, celebrities, corporate executives, and venture company representatives.
Using this stolen data, the hackers gained unauthorized access to victims’ banking accounts and cryptocurrency wallets, systematically transferring assets without detection for months.
Initial investigations revealed that the malware employed sophisticated social engineering techniques combined with technical exploitation of web application vulnerabilities.
Moj.go.kr analysts identified the attack pattern as a coordinated effort utilizing both automated tools and manual intervention to maximize financial extraction while avoiding traditional security monitoring systems.
Hacker got arrested (Source – Moj.go.kr)
The operation’s technical sophistication became apparent through its multi-stage infection mechanism, which relied heavily on exploiting vulnerabilities in mobile carrier authentication systems.
The malware initially gained entry through compromised web portals, where attackers injected malicious scripts designed to harvest user credentials and session tokens.
Once inside the network perimeter, the malicious code established persistent backdoors using encrypted communication channels to maintain long-term access.
The persistence tactics employed by this threat actor demonstrated advanced knowledge of system administration and network security protocols.
The malware utilized a combination of registry modifications and scheduled task creation to ensure continuous operation across system reboots.
Code analysis revealed the use of obfuscated PowerShell scripts that executed at regular intervals, checking for network connectivity and updating command-and-control server addresses dynamically.
$encoded = [System.Convert]::FromBase64String($data)
$decoded = [System.Text.Encoding]::UTF8.GetString($encoded)
Invoke-Expression $decoded
Detection evasion mechanisms included the implementation of anti-analysis techniques such as environment checking, sandbox detection, and runtime packing.
The malware consistently modified its file signatures and employed living-off-the-land techniques, utilizing legitimate system tools like PowerShell and Windows Management Instrumentation to execute malicious activities while appearing as normal system processes.
The successful extradition represents a significant victory for international cybercrime cooperation, with Korean authorities working closely with Thai officials, Interpol, and the Southeast Asia Cooperation Network to track and apprehend the suspect within just four months of his entry into Thailand.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post South Korea Arrests Suspected Chinese Hacker Stolen Tens of Millions of Dollars from Victims appeared first on Cyber Security News.
