368 users lost ₩240 million as hackers exploited rogue femtocells; regulators probe telecom security gaps.
KT Corp., one of South Korea’s leading telecom operators, has uncovered 20 illegal micro base stations suspected of being used to carry out unauthorized mobile payment breaches, widening the scope of one of the country’s most significant telecom fraud cases.
The company confirmed that 368 users suffered a total loss of 240 million won (US$169,300) through fraudulent micropayments made via its network. The finding marks a sharp escalation from the initial discovery of only four rogue base stations, suggesting that the breach was far more extensive and organized than first believed.
Network-Wide Audit and Findings
KT said it conducted a sweeping internal review covering 150 million mobile payment transactions between August 2024 and September 2025. Engineers also analyzed over 4 trillion network access records to trace suspicious activity from illegal femtocells — compact base stations typically used to improve indoor signal coverage.
The investigation uncovered 20 unauthorized femtocell IDs that had accessed KT’s network, connecting with roughly 22,200 devices. Of those, 368 users experienced actual financial damage from unauthorized micropayments.
Micropayments refer to small digital purchases made through automated response systems (ARS) or text messaging (SMS). KT clarified that the breach was limited to micropayments and did not involve direct carrier billing (DCB) transactions. The company said it has since blocked all suspicious payment channels as of September 5, reporting no further unauthorized activity.
Rogue Base Stations and Expanding Probe
Authorities said the first unauthorized connections were detected in October 2024, initially in Seoul and nearby regions before spreading to Gangwon Province. A joint public-private investigation team later identified additional illegal base station IDs, indicating a larger and coordinated operation targeting KT’s network infrastructure.
These rogue base stations, or fake femtocells, acted as imposters of KT’s legitimate network, tricking nearby smartphones into connecting automatically. Once connected, hackers reportedly initiated unauthorized micropayments, later converting them into cash through intermediaries.
Arrests and Ongoing Investigation
Police have arrested two Chinese nationals believed to be behind the operation. A 48-year-old suspect allegedly drove around Gwangmyeong and Seoul’s Geumcheon District, operating illegal portable base stations during early morning hours to capture mobile connections.
A 44-year-old accomplice is accused of laundering around 200 million won (US$141,000) by converting fraudulent payment records into cash and transferring most of the money to China. Both were charged under Korea’s Information and Communications Network Act and Fraud Prevention Law.
Authorities say the investigation is ongoing, with efforts to identify more victims and determine whether the network of illegal base stations extends beyond KT’s system.
Discrepancies in Victim Reports
KT has acknowledged 362 victims, while police have identified around 220, with differences attributed to data verification methods. Officials said the number could rise as more users come forward and as investigators reconcile records from KT, telecom regulators, and payment platforms.
KT said it has shared the results of its audit with the Personal Information Protection Commission (PIPC) and apologized for the delay in its investigation. “We will continue to fully cooperate with the government and police in their ongoing investigation,” the company said in a statement.
Telecom Security and Encryption Under Scrutiny
The breach has renewed debate over telecom network security, especially regarding SMS-based payment systems. KT has faced criticism for allegedly failing to encrypt SMS messages used in micropayment authorization, which could have allowed attackers to intercept or spoof transaction data.
Although KT declined to comment on encryption-related questions, citing the ongoing probe, cybersecurity experts say the case underscores a long-standing issue in Korea’s telecom ecosystem — weak encryption practices and outdated security models that leave payment processes vulnerable to exploitation.
Regulatory Response and Next Steps
The PIPC and the Ministry of Science and ICT have launched joint inspections into KT’s data protection measures and telecom operators’ compliance with encryption and reporting standards. Regulators are now reviewing whether stricter monitoring and real-time reporting requirements should be imposed on telecoms handling mobile payments.
Analysts say the KT breach highlights the growing overlap between telecom infrastructure and financial systems. As mobile billing becomes more integrated with online commerce, telecom firms are increasingly seen as custodians of financial trust, not just connectivity providers.
