Hundreds of Billions Stolen with Twin USIMs... 32 Members of Chinese Hacking Group Apprehended

by Oh Jieun

Published 21 May.2026 12:00(KST)

Two Masterminds Behind 'USIM Cloning' to Be Prosecuted
Personal Information Hacked, Account Balances Siphoned
Violation of the Act on the Aggravated Punishment of Specific Economic Crimes... Damages Reach 73.4 Billion Won

A Chinese hacking organization that hacked into the financial asset accounts of domestic wealthy individuals, including Jungkook, a member of the group BTS, and corporate chairmen, and siphoned off assets worth approximately 70 billion won, has been apprehended by the police.

The Seoul Metropolitan Police Agency's Cyber Investigation Unit announced on the 21st that it had arrested Mr. A (age 40), the ringleader of a Chinese hacking group, and Mr. B (age 36) on 18 charges, including violations of the Act on the Aggravated Punishment of Specific Economic Crimes. Eight other members of the organization, charged with violations such as the Protection of Communications Secrets Act, have been arrested and referred for prosecution, while twenty-two individuals accused of offenses such as forgery of official documents have been referred without detention. In addition, Interpol red notices have been issued for nine overseas members of the organization.

Oh Gyusik, Head of Cyber Investigation Division 2 at Seoul Metropolitan Police Agency, is speaking at a briefing held at the Seoul Police Agency building in Jongno-gu, Seoul on the morning of the 21st. Photo by Oh Jieun

According to the police, Mr. A and others are suspected of infiltrating victims' financial and virtual asset accounts using methods such as USIM (SIM card) cloning and illegal USIM activation to steal funds. After Mr. B was indicted in August last year for crimes related to illegal USIM activation, further investigation revealed that they had also committed crimes using SIM card cloning techniques. During this process, it was additionally confirmed that Mr. A was not merely an accomplice but was in fact the ringleader. They used a new method that involved creating 'twin USIMs' in the victims' names to intercept text message verifications and financial one-time passwords (OTPs). The total amount of damages amounted to 73.4 billion won.

From May 2022 to June 2023, Mr. A and others copied the unique identification information of USIM cards belonging to 13 mobile carrier subscribers onto blank USIM chips, creating so-called 'twin USIMs' and then attempted to change devices under the victims' names. At the moment the victims' phones were disconnected from the network, the devices controlled by Mr. A and his group were registered as legitimate devices, allowing them to intercept all text message verification codes and financial OTPs sent to the victims. Using this method, they infiltrated the virtual asset exchange accounts of four victims and stole approximately 8.9 billion won worth of virtual assets.

Mr. B, who was indicted last August for embezzling assets of domestic tycoons including Jungkook, a member of the group BTS. Photo by Yonhap News

When police and telecommunications companies implemented a system to block abnormal device changes, the organization immediately changed its methods. From July 2023 to April last year, Mr. A and others hacked vulnerabilities in the non-face-to-face activation systems of 12 budget phone operators, illegally activating 122 USIMs under the names of 92 victims. They also hacked into 10 public and private websites to steal personal and financial information and even obtained I-PINs and joint authentication certificates. Subsequently, they infiltrated financial institution and virtual asset exchange accounts, stealing approximately 39.5 billion won in assets and attempting to siphon off an additional 25 billion won.

Mr. A and others specifically targeted individuals who would have difficulty immediately responding to authentication theft, such as those staying overseas or wealthy individuals who were incarcerated. The group operated with clearly divided roles: ringleaders were responsible for hacking, securing USIM information, account infiltration, ID forgery, and money laundering, while domestic members handled USIM cloning, phone activation, receiving verification texts, and laundering criminal proceeds.

Reconstructed Telegram chatroom conversation in which Mr. A and others discuss SIM card cloning, and fake phones illegally activated by Mr. A and others. Seoul Metropolitan Police Agency

Over a period of three years and eleven months, the police deployed 55 investigators, executed 531 search and seizure and verification warrants, and conducted seven overseas trips. While sequentially arresting domestic managers, operatives, and money launderers, police identified the ringleader Mr. B using advanced cyber tracking techniques, obtained intelligence on his entry into Thailand, and launched a joint investigation with local police and Interpol. Ultimately, in May last year, Mr. B was apprehended at a hideout in Bangkok, Thailand, and Chinese national Mr. A, who was with him, was detained by local authorities on charges of illegal stay. Subsequent forensic analysis of seized items and cross-analysis of big data from previous cases revealed that Mr. A was also a co-leader of the organization and had orchestrated past 'USIM cloning' crimes.

The victims who lost funds included 10 corporate chairmen, CEOs, and executives; three celebrities and influencers; and three virtual asset investors. Among them, three were executives at companies ranked among the top 100 groups. In total, there were 271 hacking victims, including 22 executives from top 100 groups.

Hot Picks Today

If They Fail Next Year, Bonus Drops to 97 Million Won... A Closer Look at Samsung Electronics DS Division’s 600M vs 460M vs 160M Performance Bonuses

A representative from the Seoul Metropolitan Police Agency stated, "This is an unprecedented new form of transnational hacking crime even on a global scale," and added, "We plan to continue joint investigations with Interpol and others to identify additional accomplices and any overseas affiliate organizations."

한글 기사 보기

This content was produced with the assistance of AI translation services.