KT Corp., one of the nation's major wireless carriers, estimates losses of around 170 million won ($122,305) after unauthorized micro-payments were routed through rogue micro base stations.
Reports of fraudulent transactions surfaced on Aug. 26, with attacks spanning from Seoul's Geumcheon district to southern Gyeonggi Province. As cases multiplied rapidly, the Gyeonggi cyber police launched a full investigation on Sept. 6., followed by a joint government-private investigation.
Investigators traced the fraud to unregistered femtocells – portable miniature base stations that had infiltrated KT's network.
"This security breach is an extremely critical matter directly tied to public trust in telecommunications services that are part of our daily lives," said Science and ICT Minister Bae Kyung-hoon, visiting KT headquarters in Gwanghwamun, downtown Seoul, Thursday.
Unlike past scams that relied on malicious apps or phishing links, the scheme puzzled investigators: victims reported charges they had never made, while their devices had never been infected.
Instead, hackers are suspected of exploiting low-power base stations often used to resolve coverage blind spots. Operated from moving vehicles, the rogue femtocells could explain the broad geographic spread of reports.
The fraudulent signals proved stronger than KT's legitimate nearby base stations. Since mobile phones automatically connect to the strongest available signal, users' devices were silently hijacked.
"Think of it similar to wifi signals. Our phones automatically connect to wifi with faster internet, right? It's the same for radio frequencies for phones, that's why these virtual base stations gain control over other phones as they get closer to the victims," said Hwang Suk-jin, a professor at Dongguk University's Graduate School of International Affairs and Information Security.
Kim suspected the criminals could have driven vans equipped with the rogue femtocells, intercepting one-time verification codes to log into users' online accounts.
"They could easily shop online and purchase digital coupons without leaving any traces," Kim said.
While femtocell exploits have been documented abroad, intercepting authentication codes to authorize payments marks a troubling new twist in Korea.
Because most digital verification in South Korea still relies on text messages — from online shopping to tax filing — the attack highlights structural vulnerabilities. Experts warn that, with more effort, hackers might even have penetrated PASS, Korea's near-universal mobile verification app.
There had been earlier warnings. Just weeks ago, rival SK Telecom was slapped with a record fine for failing to protect personal data of more than 23 million subscribers as regulators found the company negligent in basic cybersecurity practices and oversight.
KT, meanwhile, did not formally acknowledge the rogue femtocell intrusion until Sept. 9, when it reported the incident to the Korea Internet & Security Agency (KISA). By that point, the damage had spread beyond initial hotspots, placing the country’s entire telecom sector on high alert.
Cybersecurity experts argue that encrypting radio frequencies from the outset and regularly updating encryption algorithms is critical to preventing such intrusions. Extending end-to-end encryption into the core network would help close off vulnerabilities, they add.
"There should also be no gaps where base stations decrypt data," emphasized Hwang of Dongguk University. "If base stations simply transmit, verification remains intact. But once they decrypt, it opens the door to exploitation. Femtocells themselves should not handle passwords," Hwang said.
Actions are urgent, experts warn, as exploitations via ghost base stations can compromise not only mobile payments but also government authentication systems, including tax and mortgage verifications.
Copyright ⓒ Aju Press All rights reserved.
