June 2025 Security Issues in Korean & Global Financial Sector
This report comprehensively covers actual cyber threats and security issues related to financial companies in South Korea and abroad.
This article includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and the industry statistics of leaked Korean accounts on Telegram. A detailed look into the phishing email distribution case targeting the financial sector is also covered.
This report also analyzed the major financial threats and cases that occurred on the dark web. It examined the threats and cases of credit card data breaches and financial institutions’ database breaches. The report also looked into the cases of ransomware threats targeting the financial sector, the breaches and damages caused by ransomware infection, and the various cyber threat cases and actual damages that occurred in financial institutions.
Summary of Deep Web and Dark Web Issues Related to the Financial Sector
- Database Leak Cases
Affected Company: M***.id
The Indonesian digital payment and reward platform M***’s user data are being sold on the cybercrime forum LeakBase.
M*** is a digital payment and reward platform operated by Indonesian oil company P***. It offers a variety of services such as fuel payment, reward point accumulation, QR code-based subsidy fuel purchase, promotions, merchant payment, and membership management.
The threat actor (wonder) claims to have obtained the personal data of 44 million M*** users. According to wonder, the data includes customer IDs, customer codes, names, phone numbers, emails, customer types, identification numbers, addresses, contacts, registration dates, account statuses, activation codes, ID types, cities, genders, birthdates, birthplaces, and group IDs. They have also publicly released some of the data, which included a total of 5,948,496 customer records.
The data is suspected to have been sold by the threat actor Bjorka on the cybercrime forum BreachForums in November 2022. According to the VOI article, Bjorka sold the entire 30 GB dataset for around $25,000 (approximately 39.2 million KRW).
This incident involved the large-scale data breach of sensitive personal information belonging to 44 million Indonesian users, and the fact that the data was sold for a high price in 2022 increases the likelihood of secondary damages occurring due to the redistribution of the data. The breach is particularly serious because the data includes information that can be used for account takeover and fraud, such as customer identification numbers, account statuses, and activation codes.
Companies that operate similar services should implement more than just measures to prevent data breaches. They should also strengthen their security by implementing real-time protection systems, including account takeover detection, abnormal login notification systems, and access control policies for activated APIs. As the practice of trading and reusing leaked data among threat actors has been increasing, organizations are advised to regularly check for security vulnerabilities related to their breach history and establish specific user protection measures.
Figure 1. Post on LeakBase Forums about selling data of affected companies
- Ransomware: Everest
Affected Company: j***.com
The ransomware group Everest claimed responsibility for the attack on the Jordanian bank, J*** Bank.
J*** Bank is a bank in Jordan established in 1976, providing services such as deposits, loans, credit cards, foreign exchange, asset management, investment products, lease finance, international and domestic payments, and Internet and mobile banking.
The group claimed to have stolen 11.7 GB of internal company data and revealed that the leaked data includes 1,003 pieces of employee information and trade secrets. They warned that they would release the entire data if their demands were not met and released a sample of the data. They also shared a download link, and a 12.1 GB compressed file is currently available for download.
This attack is a case that shows how even industries like banks that require high-level security can suffer a massive leak of internal secrets and employee information. In particular, the fact that the compressed file is 12.1 GB in size suggests that a breach may have occurred in multiple business systems. This case serves as a warning for the threats that the entire digital finance environment, including internet and mobile banking services, are exposed to. It also highlights the importance of the affected industry not only preventing external breaches, but also checking their internal defense systems as a whole, such as implementing proper privilege separation between internal systems, restricting access to sensitive information, and strengthening two-factor authentication. Furthermore, as the trend of threat actors using stolen data to apply pressure during ransomware negotiations is becoming more common, it is essential for organizations to establish breach response scenarios based on the possibility of data leaks. When banks become the target of an attack, they must be able to immediately activate their strategic response systems. To achieve this, banks need to conduct regular training exercises and automate their incident response processes.
Figure 2. Companies affected by the Everest ransomware group, as posted on the DLS
