The ransomware organization Qilin launched a "Korean Leaks" supply chain attack on the South Korean financial industry! 28 businesses were affected, and 2TB of sensitive data was leaked.

The notorious ransomware group Qilin launched a supply chain attack codenamed “Korean Leaks” by successfully breaching a South Korean IT hosting service provider, GJTec, affecting 28 South Korean financial institutions at once, with over 1 million files and 2TB of sensitive data stolen. (Background: Security firms report that North Korean hackers have infiltrated 15-20% of crypto assets companies) (Supplementary background: AI project Port3's cross-chain bridge was breached: hackers minted 1 billion coins for dumping, causing an 80% flash crash in coin price) According to The Hacker News, the notorious ransomware group Qilin executed a supply chain attack codenamed “Korean Leaks” by successfully breaching a South Korean IT hosting service provider GJTec, affecting 28 South Korean financial institutions at once, with over 1 million files and 2TB of sensitive data stolen. This is the most severe cyber crisis faced by South Korea's financial sector since 2025. Who is the perpetrator? Who is the victim? The mastermind is the internationally recognized ransomware group Qilin (also known as Agenda), a highly active ransomware-as-a-service (RaaS) organization, likely backed by Russian interests, but they claim to be “political activists”. This year, Qilin has become the most active ransomware organization in the world, claiming to have attacked over 180 targets in October alone. Notably, this operation likely involved North Korean (North Korea) hacking group “Moonstone Sleet”, forming a rare collaboration between a “criminal group + state hackers”. The victims are exclusively South Korean asset management companies, including well-known firms such as LX, Human, Bridge, and Majesty, totaling 28. The hackers not only encrypted the victim companies' computers but also stole customer data, internal emails, investment portfolios, and even evidence suspected of stock market manipulation. How did the hackers accomplish this? Investigations show that the hackers only breached an IT service provider named GJTec, which specializes in managing computers, backing up data, and maintaining systems for small and medium-sized financial institutions. Once GJTec was compromised, the hackers gained a “master key” to directly access the systems of 28 clients, deploying Qilin ransomware and initiating double extortion: pay up or face data exposure + system destruction. It is worth mentioning that the entire operation leaked data in three waves on the dark web: First wave: September 14, 2025, 10 victims; Second wave: September 17-19, 2025, 9 victims; Third wave: September 28 to October 4, 2025, 9 victims. Notably, during the first two waves of data leaks, the hackers filled their messages with political propaganda, claiming to “expose financial corruption in South Korea” and “potentially devastate the South Korean stock market”, even naming “well-known political and business figures”. It was not until the third wave that they reverted to traditional ransom tones, indicating that there might be different forces controlling the messaging. How serious is this attack? While 2TB of data sounds abstract, it translates to hundreds of thousands of contracts, customer identification numbers, bank account details, and investment records being stolen. If all of this is made public, it could lead to severe consequences, including: Customer personal information leaks leading to fraud and identity theft; Evidence of stock market manipulation being exposed, causing market panic or even a stock market crash; Financial institutions facing heavy penalties from regulators and customers seeking collective compensation; Damage to South Korea's overall financial reputation, causing foreign investment to withdraw. More dangerously, this indicates that “supply chain attacks” have become a new favorite among hackers: instead of attacking one by one, they can breach an intermediary IT service provider and simultaneously harvest dozens or even hundreds of companies, with low costs and high returns. How can ordinary enterprises protect themselves? In the face of such attacks, adopting the following measures may effectively avoid intrusion: Always sign “cybersecurity responsibility clauses” with all external IT suppliers, requiring them to enforce multi-factor authentication (MFA) and conduct regular vulnerability scans. Do not store all important data in the same system; adopt the “principle of least privilege”: only allow access to necessary personnel. Critical data must be “backed up off-site” and “stored offline”, so that even if hackers encrypt the main server, there are still backups available. Regularly simulate “vendor breaches” to confirm whether you can quickly disconnect and restore the system. Related reports: DWF Labs allegedly robbed of $44 million by North Korean hackers but has concealed it until now! ZachXBT: Not surprising at all. Another DeFi protocol hacked? The lending protocol Moonwell suspected of being attacked by hackers, with losses exceeding $1 million. Laugh out loud! Hacking group UXLINK stole $11.3 million but was instead phished; the crypto world is rife with black-on-black scams. <Ransomware group Qilin launches “Korean Leaks” supply chain attack on South Korea's financial sector! 28 firms affected, 2TB of sensitive data leaked> This article was first published in BlockTempo, the most influential blockchain news media.