“`html
Authorities in South Korea have effectively extradited a Chinese citizen believed to be behind one of the most complex hacking schemes aimed at prominent individuals and financial institutions.
The 34-year-old individual, known only as Mr. G, was returned from Bangkok, Thailand, on August 22, 2025, following a four-month global search which culminated in his capture for reportedly stealing over 38 billion won (in the region of $28.5 million) from victims’ financial and virtual asset accounts.
The criminal enterprise, functioning from international offices chiefly in Thailand, conducted a sophisticated multi-vector attack campaign that extended from August 2023 to January 2024.
The group’s main strategy involved breaching mobile carrier websites and various online platforms to collect personal data from affluent individuals, celebrities, corporate leaders, and representatives of venture firms.
Leveraging this stolen information, the hackers gained unauthorized entry into victims’ banking accounts and cryptocurrency wallets, methodically transferring assets unnoticed for several months.
Preliminary inquiries indicated that the malware incorporated advanced social engineering techniques in conjunction with technical exploitation of vulnerabilities in web applications.
Moj.go.kr analysts determined the attack approach as a coordinated initiative using both automated processes and manual actions to maximize financial gain while evading standard security monitoring systems.
.webp)
The operation’s technical sophistication was highlighted by its multi-stage infection strategy, which heavily relied on exploiting flaws in mobile carrier authentication systems.
The malware initially accessed compromised web portals, where attackers injected harmful scripts designed to capture user credentials and session tokens.
Once infiltrating the network perimeter, the malicious code set up persistent backdoors utilizing encrypted communication channels for sustained access.
The persistence techniques employed by this threat actor demonstrated an advanced understanding of system administration and network security protocols.
The malware utilized a combination of registry alterations and scheduled task creation to guarantee uninterrupted operation through system restarts.
Analysis of the code uncovered obfuscated PowerShell scripts that executed at regular intervals to check for network connectivity and update command-and-control server addresses dynamically.
$encoded = [System.Convert]::FromBase64String($data)
$decoded = [System.Text.Encoding]::UTF8.GetString($encoded)
Invoke-Expression $decodedEvading detection mechanisms included the use of anti-analysis strategies such as environment checks, sandbox detection, and runtime packing.
The malware continually altered its file signatures and employed living-off-the-land tactics, utilizing authentic system tools like PowerShell and Windows Management Instrumentation to carry out malicious operations while masquerading as normal system processes.
The successful extradition marks a significant achievement for international collaboration against cybercrime, with Korean authorities coordinating closely with Thai officials, Interpol, and the Southeast Asia Cooperation Network to locate and apprehend the suspect in a mere four months after his arrival in Thailand.
“`