Deepfake
Telecom
Near-monthly breaches rocked South Korea in 2025—deepfakes, rogue base stations,...
South Korea’s world-class internet and tech prowess collided with a relentless wave of near-monthly cyber incidents in 2025, exposing a reactive, fragmented defense posture unfit for a nation at the core of global digital supply chains. From telecom giants and financial institutions to government-adjacent targets, the impacts were sweeping—forcing an urgent rethink at the highest levels of power.
### Key revelations
- A near-monthly drumbeat of major incidents spotlighted systemic coordination gaps and the absence of a clear cyber “first responder,” amplifying risk across critical sectors.
- Experts warned that reactive governance, siloed agencies, and a deep talent shortage created a vicious cycle where quick fixes replaced durable resilience.
- A late-year pivot toward interagency centralization from the presidential office aims to accelerate response—while raising new debates over oversight and accountability.
### 2025 timeline at a glance
- January: GS Retail breach exposed about 90,000 customers’ personal data after sustained website attacks straddling the New Year period.
- February: Wemix (Wemade) lost $6.2 million to a hack on Feb. 28, with disclosure delayed until March, fueling investor anxiety.
- April–May: SK Telecom’s mega-breach compromised data for roughly 23 million customers, triggering mass SIM replacements and a protracted fallout.
- June: Yes24 was crippled by ransomware on June 9, with services down for days before restoration by mid-month.
- July: North Korea–linked Kimsuky used AI-generated deepfake images in spear-phishing against defense-related entities, marking a chilling escalation in tradecraft.
- July: Seoul Guarantee Insurance suffered ransomware that paralyzed core guarantee services, stranding customers and markets in uncertainty.
- August: Yes24 was hit again; Lotte Card lost around 200GB of data affecting roughly 3 million customers over 17 undetected days; a Welcome Financial affiliate faced Russian-linked claims of over 1TB exfiltration.
- September: KT disclosed a breach via illegal “fake base stations,” exposing thousands to IMSI/IMEI capture and unauthorized micro-payments—a first-of-its-kind shock to telecom trust.
### Why the defenses cracked
South Korea’s cyber governance spanned multiple ministries and regulators that too often scrambled in parallel, deferring to one another instead of operating as a single, empowered crisis unit. The result was slower containment, mixed messaging, and a pattern of incident-driven fixes rather than systemic hardening aligned to national critical infrastructure priorities.
### Expert Alarm
Industry leaders argue the nation treats cybersecurity as episodic crisis management, not as a cornerstone of national resilience, starving long-term investments in architecture and skills. The chronic shortage of trained defenders compounds exposure—without skilled talent, proactive defenses and sustained threat hunting simply cannot scale.
### A government pivot
Responding to the compounding shocks, the National Security Office advanced a “comprehensive” interagency cyber plan led from the presidential office to cut through silos and accelerate incident response. Regulators also signaled new legal powers to investigate at the first hint of compromise—even absent a company report—to finally close the first-responder gap.
### Oversight Debate
Central control promises speed, but concentrating authority risks politicization and overreach if not paired with independent checks, experts caution. A hybrid model—central strategy and crisis coordination with technical execution by specialist agencies like KISA under clearer rules—emerges as the balanced path forward.
### Threats redefining the battlefield
- AI-powered deception: Kimsuky’s deepfake military IDs supercharge spear-phishing, fusing social engineering with synthetic media to breach high-trust environments.
- Telecom edge abuse: From mass data theft at SK Telecom to KT’s rogue base-station exploitation, attackers are increasingly weaponizing the seams between IT, subscriber identity, and network access.
- Ransomware resiliency gaps: Repeat hits against Yes24 and disruptive attacks on financial rails like SGI reveal operational weak points and recovery shortfalls under sustained pressure.
### What must change now
- Establish a single operational first responder with clear legal authority to coordinate, compel action, and communicate consistently across ministries and sectors in real time.
- Fund workforce pipelines and retainers for surge capacity, ending the quick-fix cycle and enabling continuous threat hunting and architecture hardening in telecom and finance.
- Mandate fast, standardized disclosure and post-incident audits to drive sector-wide learnings and public trust following large-scale breaches.
