Police probe KT after subscribers targeted in mass small-payment fraud

The photo shows a KT store in Seoul on Sept. 10. [YONHAP]

 
Police are investigating KT after a mass small-payment fraud targeting the telco’s users, which involved connecting customer phones to illegal gadgets. Criticism is surging on suspicion that KT knowingly withdrew its report.
 
KT had reported on Monday that some customers may have been connected to unauthorized micro base stations rather than legitimate KT towers, according to the Korea Internet & Security Agency (KISA) on Wednesday. Hackers are suspected of using these fake stations to harvest personal data and carry out unauthorized transactions.
 
 
The Ministry of Science and ICT stated on Wednesday that it is investigating whether the rogue networks facilitated fraudulent small payments. KT confirmed 278 cases as of Wednesday, with damages totaling 170 million won ($122,000).
 
The method is unprecedented in Korea, although similar attacks have been reported overseas. In April, Thai police arrested a Hong Kong-based group that concealed portable base stations in backpacks to blast phishing texts to the visitors of a shopping mall. 
 
More advanced operations have also emerged. In May, Turkish authorities reported that a Chinese spy network had tapped calls from political figures using counterfeit base stations. Security experts warn that simply relocating such equipment could quickly lead to additional attacks.
 

Ministry of Science and ICT Second Vice Minister Ryu Je-myung speaks during a briefing at Government Complex Seoul in central Seoul on Sept. 10. [NEWS1]

 
Despite the scale of the incident, KT failed to act promptly. The first reports came on Aug. 27, but until Sept. 4 — after local media coverage — KT insisted it had detected no irregularities. 
 
Police initially assessed the case as ordinary smishing, or phishing through fake text messages, when they received reports on Sept. 1 and 2. KT began emergency meetings only after media reports on Sept. 5 and detected anomalies on the afternoon of Sept. 8. The company filed a report with KISA later on Sept. 8 and restricted access to new base station networks on Tuesday, Sept. 9, but by then, another 74 users had fallen victim and lost 45.8 million won.
 
After receiving the complaints, police contacted KT’s headquarters, branches and relay stations on Sept. 1 and 2. But KT responded that “it is impossible” for the company to have been hacked.
 
Rep. Hwang Jung-a of the Democratic Party, who sits on the National Assembly’s Science, ICT, Broadcasting and Communications Committee, also released KT’s report, which was submitted to the KISA, on Wednesday. In the report, KT stated that it “found no abnormal signs before recognizing the damage.” 
 
The disclosure fueled suspicions that KT may have delayed reporting the incident, despite being aware of it. The Act on Promotion of Information and Communication Network Utilization and Information Protection requires service providers to notify KISA or the Science Ministry within 24 hours of detecting a breach, such as hacking.
 
KT denied intentionally delaying its report. 
 

People walk past a KT store in western Seoul on Sept. 10. [KIM JONG-HO]

 
“We did detect the ID of an illegal micro base station, but we could not conclude it was a hack,” the company said. “It is difficult to say with certainty that attackers used the base station to steal personal information. This appears to be a new type of smishing scheme that intercepts customers’ ARS verification calls. Since we found no evidence of an internal server breach, we do not consider it hacking.”
 
A senior police officer with experience in telecom security investigations offered a different view. 
 
“The fact that attackers could lure victims into connecting through a phantom base station shows that KT’s network security is extremely poor,” the officer said. “Information leaked without any action by the victims, which means this is hacking, not smishing.”
 
Experts also questioned whether rogue base stations alone could be responsible for the fraud. 
 
“Intercepting base stations can only reveal phone numbers or message patterns. That alone cannot bypass the authentication required for small payments,” said Kim Hwan-kuk, a professor of information security and cryptography at Kookmin University, explaining that, unlike legitimate base stations, which carry official identifiers, rogue stations lack such identifiers and cannot transmit information to payment servers.
 
“There must have been another route for additional personal data to be leaked,” Kim said. “This kind of damage could not have occurred without a combination of techniques.”
 
An official at the Gyeonggi Nambu Provincial Police Agency said investigators are exploring multiple possibilities. 
 
“It seems unlikely that fake base stations alone account for this case,” the official said. “The method is clearly different from ordinary smishing, and we are keeping all options open.”

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY OH SO-YEONG [[email protected]]