The ‘Korean Leaks’ operation marks one of the most significant hybrid geopolitical cyber campaigns seen in 2025, combining the machinery of a major Ransomware-as-a-Service platform with the strategic intent of a state-linked threat actor. The result was a tightly coordinated supply chain attack that struck South Korea’s financial sector with unusual speed and scale.
Bitdefender’s Threat Debrief for October 2025 first identified the anomaly. South Korea, typically far down the ranking for ransomware victims, suddenly became the second most-targeted country with 25 victims in a single month. The surge was attributed entirely to Qilin, a prolific RaaS group that has dominated victim statistics for months. Apart from a single construction firm, nearly every affected organisation was a financial services business, particularly asset management companies. The concentration of victims in one country and one sector immediately indicated a deliberate, highly orchestrated campaign.
Qilin, despite its name referencing a Chinese mythological creature, aligns closely with the operational profile of Russian cybercriminal enterprises. Its operators run a traditional RaaS model, taking 15 to 20 per cent of profits while affiliates carry out intrusions. Qilin’s political rhetoric, promoted through its Dedicated Leak Site, positions the group as quasi-activist, a trend matching predictions that hacktivist narratives would blend with financially motivated ransomware. While the group has claimed almost 1,000 victims to date, signalling profit-driven operations, the political framing remains a strategic branding tool for targeting decisions.
Attribution becomes more complex when examining affiliates. Qilin’s network includes highly varied partners, including collaborations with Scattered Spider. Most revealing was the early-2025 emergence of Moonstone Sleet, a North Korea-linked actor, as a Qilin affiliate. This confirmed another emerging trend: state-sponsored groups using criminal RaaS platforms to merge espionage goals with criminal operational infrastructure. Such partnerships provide lucrative funding streams, operational cover and plausible deniability for state actors.
Moonstone Sleet’s activity pattern further supported suspicions. After a brief period of low activity, typical of groups preparing large-scale attacks, a wave of data-leak publications began appearing on Qilin’s DLS. These disclosures aligned closely with North Korean strategic interests and reflected the long preparation cycle typical of advanced campaigns.
The Korean Leaks operation unfolded in three publication waves. Qilin claimed 33 victims, with 28 publicly documented, and released nearly 300 photos of exfiltrated documents as proof of compromise. Although most posts lacked detailed data volumes, confirmed leaks accounted for over 1 million files and more than 2TB of stolen information. The true scale is likely far greater.
Language analysis of Qilin’s posts revealed a shift in tone from standard extortion messaging to overt political propaganda, targeting not just the victims but the entire South Korean financial system. This political angle first appeared in an August 2025 post that referenced preparing intelligence reports for Kim Jong-un, an unusually explicit geopolitical signal. Subsequent posts shifted away from North Korea but retained a strong anti–South Korean narrative, implying internal disagreements between Qilin’s operators and affiliates over the ideological content.
Wave 1 launched on 14 September 2025 with the coordinated release of ten financial-sector victims. Messaging framed the campaign as a civic exposure of corruption and urged Korean authorities and journalists to investigate the leaked files. Wave 2, published from 17 to 19 September, escalated the tone into systemic threats claiming the attackers could cause a national market crisis. The campaign framed itself as justification for investors to withdraw funds from the Korean stock market.
Wave 3 began on 28 September and initially maintained the aggressive systemic narrative. However, midway through the wave, the messaging abruptly reverted to traditional extortion targeting individual companies, indicating either strategic recalibration or internal disagreement. A final financial-sector victim appeared on 22 October with over 1TB of stolen data but without the Korean Leak branding, signalling the campaign had concluded. Several victim posts were removed from the DLS shortly after publication, a highly unusual step in double-extortion operations, suggesting unique negotiations or internal policy exceptions.
The tight clustering of victims in a single financial niche suggested a shared underlying vulnerability. Three primary hypotheses were tested: exploitation of a compromised MSP, exploitation of a new vulnerability common to asset management systems, or acquisition of a large set of valid corporate credentials. The first hypothesis proved most likely and was confirmed on 23 September by Korea JoongAng Daily, which reported that more than 20 asset management firms were breached through a common IT service provider supporting their internal systems. The MSP compromise offered the necessary scale, speed and consistency evident across the attack waves.
The Korean Leaks campaign illustrates a broader problem: the industry focuses heavily on upstream software supply chain compromises, while the more common and operationally practical threat is the compromise of third-party service providers with privileged access to multiple customers. This approach is especially attractive for RaaS affiliates seeking rapid, clustered impact.
For organisations defending against similar threats, defence-in-depth remains essential. Multi-factor authentication should be enforced across all remote and privileged accounts. Role-based access control must restrict vendor access strictly to necessary functions. Network segmentation should isolate critical systems to limit lateral movement. EDR, XDR and, when needed, MDR services are crucial for early detection and response. A more advanced approach involves proactively disrupting attacker playbooks using technologies like Proactive Hardening and Attack Surface Reduction, which introduce unpredictability and disrupt scripted intrusion workflows. Finally, enterprises must consistently validate and operationalise existing controls; misconfigurations and dormant security features remain among the most common root causes of breaches.
The Korean Leaks operation underscores the evolving intersection of cybercrime, geopolitics and commercial ransomware ecosystems. As RaaS groups continue to professionalise and collaborate with state-linked actors, the line between criminal enterprise and geopolitical influence campaign grows increasingly thin.
