TL;DR The "Korean Leaks" campaign showcases a sophisticated supply chain attack against South Korea's financial sector. This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet) leveraging Managed Service Provider (MSP) compromise as the initial access vector. 

The Statistical Anomaly: South Korea’s Sudden Ransomware Surge 

When preparing data for the Bitdefender Threat Debrief | October 2025, we noticed a significant departure from established ransomware trends. The top-five most impacted countries are consistently the US, Canada, and major Western European nations. However, for this period, South Korea (KR) suddenly became the second most-targeted country, with 25 victims claimed in a single month. 

Monthly count of ransomware victims in South Korea (September 2024 – September 2025), highlighting the unusual spike in September 2025 

This anomaly prompted an immediate investigation. Our initial analysis quickly revealed that the entire surge was attributed exclusively to the Qilin ransomware group. We also observed a high degree of industry focus: with the exception of one construction firm, every victim was in the financial services sector. 

This strong concentration in one country and one sector signals a highly targeted, purposeful campaign, and we decided to investigate the whole operation. 

Who’s Responsible? 

The group behind this surge is Qilin, which has led our Ransomware-as-a-Service (RaaS) statistics for several months. All claimed victims were posted to their Dedicated Leak Site (DLS) - a private Tor site used by double-extortion groups to publish exfiltrated data and pressure non-paying victims. While named after a Chinese mythological creature, Qilin's origins are likely Russian, following the standard RaaS model. One of the founding members (BianLian) communicates in Russian and English, they are very active in Russian-speaking forums, and the operational rule of avoiding targets in the Commonwealth of Independent States (CIS) is a common characteristic of Russian-based operations. 

What makes Qilin particularly interesting is their self-identification as political activists, as evidenced in their public statements on their leak site. 

Qilin's self-identification as 'political activists' on WikiLeaksV2. WikiLeaksV2 is a public-facing website used to post political manifestos and leak stolen victim data outside the dark web, increasing pressure on targets. 

This makes Qilin a living example of a trend we predicted for 2025: that hacktivism would re-emerge, leveraging ransomware's massive financial leverage. It is possible the 'activist' label began as genuine conviction; however, the power of a leading RaaS platform and its sheer profitability inevitably shifts the focus. The group's sheer scale, with almost 1,000 ransom victims claimed to date, demonstrates a focus on mass revenue generation rather than selective political targeting. Money becomes the chief objective, though their political identity remains a helpful lens to distinguish friends from enemies. 

Operators vs Affiliates 

Ransomware-as-a-Service (RaaS) operates like a gig economy. The main RaaS operators are platform entrepreneurs who provide the branding, software and infrastructure, taking only a small cut of the profits, typically 15% to 20%. The actual hacking is executed by the affiliates - a diverse group of hackers (sometimes calling themselves "involuntary penetration testers") - who, acting like a contractor or freelancer, earn the majority of the money. 

Since the operators are almost exclusively based in Russia, and the affiliates are highly anonymous and varied, attacks are usually attributed to the well-known operator group even though the affiliates are doing the work and keeping the largest profit. Our next step was therefore to analyze the true attackers, not the group that posted the public threat. 

Tracking Qilin's individual hackers (affiliates) is extremely difficult, as their numbers and nationalities are kept secret, and members constantly shift allegiances. Qilin has proven willing to collaborate with diverse partners, including the infamous English-speaking Scattered Spider group.

The most surprising partnership began in early 2025, when Moonstone Sleet, a hacking group tied directly to North Korea, signed on as a Qilin affiliate. We're going to call "bingo" on our second 2025 prediction here. We predicted that state-sponsored groups (APTs) would start using criminal RaaS platforms, merging espionage with crime. This intentional blurring of threat actor categories helps state actors gain money and inflict great damage while ensuring plausible deniability, making it almost impossible to hold the nation accountable. 

Moonstone Sleet showed only a handful of attacks during their initial experiments with Qilin ransomware. While this quiet period may seem unusual, a dip in consecutive attacks is typical for hackers focusing on a larger campaign. For example, the Cl0p ransomware campaign successfully exploited a vulnerability in December 2024, but the resulting mass of victims only appeared months later, contributing to a victim count that made February 2025 the historical peak for RaaS victim reporting. 

The recent surge in data leak publications from attacks on South Korean businesses is a classic example of a major public spike following a quiet period of preparation, and their targets align perfectly with this state-sponsored group's strategic objectives. Qilin’s collaboration with a North Korean threat actor like Moonstone Steel in the Korean Leak campaign remains both plausible and probable. 

Join the expert analysis and live discussion around Korean Leaks on our next Ctrl-Alt-DECODE episode.

Korean Leaks 

The campaign that Qilin named "Korean Leaks" was rolled out in three distinct publication waves, and many of their leaks were publicized in September 2025. Of the 33 total victims, 28 are currently public. This campaign focused almost entirely on South Korean financial firms, specifically asset management companies. The subsequent removal of 4 victim posts from the leak site is highly unusual and suggests the results of negotiations or a unique internal policy, as posts typically remain public even after a ransom is paid.  

The attackers provided public proof of the breach by sharing nearly 300 photos of exfiltrated documents on the DLS. However, the true scope of each leak is poorly documented as the majority of victims' posts lack detailed data metrics, such as file counts or GB size. Despite this, the few documented cases collectively confirm the theft of over 1 million files and 2 TB of data. Given the missing metadata for most victims, the overall reach of this operation is potentially much larger than what is publicly known. 

Language Analysis 

During our review of the victims and the accompanying announcement text, we noticed a strange communication pattern. The attackers, who named this campaign "Korean Leaks" themselves, did not rely solely on the standard cybercrime tactic of directly pressuring a compromised business (and its investors, partners, and customers). Instead, they used significant amounts of propaganda and political language and targeted the entire South Korean country and financial industry, a departure from typical cybercrime communication. 

In the RaaS model, the DLS posts and other assets, such as ransom notes, are typically written and published by operators to ensure brand consistency and maintain control over the extortion narrative. Qilin highlights this benefit on darknet forums to attract affiliates, offering: “An in-house team of journalists who, in cooperation with legal experts, can help you write texts for blog posts and also assist with pressure during negotiations.”

Our statistical analysis of the Korean Leaks offers strong evidence that the Qilin core team, rather than the affiliate, was responsible for the final editing and publication of the DLS text. The posts contain several of the core operator's signature grammatical inconsistencies. However, this control over the final draft does not mean the affiliate was excluded from having a critical say in the key messaging or overall direction of the content.

Pre-Korean Leak Messaging 

An unusual political angle was used on August 20, 2025, with the DLS post for a victim in the construction industry. This post preceded the launch of the main Korean Leaks campaign. The text included an explicit threat of military intelligence value: "...the published data includes plans and drawings for each of the company's hundreds of completed projects. Schematics of such projects as bridges, tunnels, and liquefied natural gas tanks are now publicly available - information that should be kept secret because it is of great interest to other countries. A report on what was found in these documents is already being prepared for Comrade Kim Jong-un."

 Initial Qilin DLS listing for a Korean target that contains a direct North Korean reference 

Given that subsequent victim posts immediately dropped the North Korean focus to concentrate on the South Korean element of the leaks, it is highly plausible that affiliates expressed strong discontent with this ideological inclusion, forcing the editorial team to shift the narrative's attention to the victims' national origin instead of a foreign regime. 

Korean Leaks - Wave 1 

The first phase of Korean Leaks, Wave 1, was characterized by a highly coordinated release, with 10 victims from the financial management sector all documented on September 14, 2025. All posts closed with the following boilerplate announcement: "We have gained access to a gigantic mass of data of Korean companies operating in the financial management and stock market. The global leak affected dozens of companies, the data of which we will be publishing here. Stay tuned for updates." 

The entire campaign was framed as a public-service effort to expose systemic corruption, exemplified by the threats to release files that could be "evidence of stock market manipulation" and names of "well-known politicians and businessmen in Korea." The core goal was achieved in the concluding post, which declared the series of attacks over, and alleged that the victims were all "one network of fraudsters." The final line served as a public mandate, asserting that "Law enforcement agencies and independent journalists in Korea are obliged to look into these documents," effectively shifting the burden of the damage and investigation onto Korean authorities.

Example victim listing on Qilin's Data Leak Site, illustrating the first wave of the campaign 

Korean Leaks – Wave 2 

The second phase of Korean Leak, Wave 2, sustained the attack, publishing nine victims over a three-day period, from September 17, 2025 to September 19, 2025. In contrast to Wave 1’s formal conclusion, this series closed with an escalating threat across all posts: "We continue to publish data on companies in the Korean financial market. We have data on dozens of companies. Korean Leak is a reason to withdraw money from the country's stock market, because we have a volume of data whose publication will definitely deal a serious blow to the entire Korean market. And we will definitely do it." 

This messaging shifted from merely threatening the victim companies to threatening the entire Korean stock market, creating a systemic risk narrative. To further pressure regulatory bodies, one post pointedly referenced local laws, stating: "South Korea has one of the strictest personal data protection laws in the world. We hope that the relevant authorities will take an interest in this case. After all, the existence of such companies is a disgrace to the country. See for yourself."

Example victim listing on Qilin's Data Leak Site, illustrating the second wave of the campaign 

Korean Leaks – Wave 3 

The third phase of Korean Leaks, Wave 3, concluded the campaign, documenting nine additional victims over a week-long period from September 28, 2025, to October 4, 2025. This final wave was notable for another shift in the messaging strategy. 

The initial four victim posts maintained the highly aggressive, systemic threat that characterized Wave 2, closing with the same statement about a national financial crisis. 

However, a noticeable change happened with the fifth victim post (released three days after the fourth). For this victim and the subsequent four, the operator abandoned the threat of a systemic market crash. The focus returned to individual victim pressure, using language that more closely resembled Qilin's typical, financially motivated extortion messages directed at a single business.

Example victim listing on Qilin's Data Leak Site, illustrating the third wave of the campaign 

The final significant activity following the Korean Leaks campaign was the DLS post of a new victim on October 22, 2025. This victim, which matched the financial services and asset management profile of the Korean Leaks targets, was listed with over 1TB of exfiltrated data and 15 proof-of-compromise photos. The post lacked any mention of the "Korean Leak" branding, despite fitting the exact victim profile, indicating the operator had retired the campaign name. Interestingly, the company was removed from the DLS after only one day. This rapid removal mirrored that of three earlier victims; the justification behind this and similar retractions remains unknown.  

Root Cause Analysis 

The tight clustering of all victims within a single financial and asset management niche during the "Korean Leaks" campaign strongly indicates that the campaign was not built on individualized targeting. The sheer speed and size of the attack waves, over a limited time frame, point to a shared liability that connected the victims. 

We tested three competing hypotheses for the targeted approach of this campaign.

1. Compromised Managed Service Provider (MSP) or Upstream Vendor: This is the most technically plausible hypothesis. It suggests the Qilin affiliate successfully breached a single IT service provider, financial software vendor, or accounting firm that maintained privileged, remote access to all victim networks. This single point of failure would grant the attacker simultaneous, scalable access to multiple, similarly configured clients, best explaining the speed and tight focus of the attack waves against the South Korean financial sector.
2. Zero-Day or Common Vulnerability Exploitation: This hypothesis proposes the affiliate exploited a newly discovered, unpatched vulnerability (zero-day) in a specific, widely used piece of financial software or hardware common among South Korean asset management firms. The attacker would have used the vulnerability to rapidly scan and compromise any organization running the vulnerable product, allowing them to acquire access to a large cluster of victims quickly and efficiently.
3. Insider Access or Credential Acquisition: This suggests the affiliate obtained a large, targeted batch of valid corporate credentials from a dark web market or by paying a bounty to an insider with access to multiple firms. By using existing, valid logins, the attacker bypasses modern security controls, which explains the high success rate and the precise targeting of financial and asset management entities, although this vector is slightly less efficient for the rapid, parallel deployment seen in Wave 1. 

Our most probable hypothesis - the compromise of an upstream vendor - was confirmed by press reporting on September 23, 2025. The Korea JoongAng Daily stated that more than 20 asset management firms suffered breaches after their servers were hacked in a ransomware attack, noting that the common link among the affected firms is a domestic IT service provider that manages systems for asset managers. 

Conclusion and Recommendations 

The MSP compromise that triggered the “Korean Leaks" operation highlights a critical blind spot in cybersecurity discussions. While supply chain attacks are a constant topic of discussion, the focus tends to be on upstream software supply chain compromise including the terrifying and high-impact risk of trojanized code or updates. While these attacks are undeniably catastrophic, they remain statistically rare. 

In fact, a far more common and often ignored threat manifests in operations that use supply chain attacks. The threat, a simple one, is highly effective. It involves the compromise of a third-party service provider.  Exploiting a vendor, contractor, or MSP that has access to other businesses is a more prevalent and practical route that RaaS groups seeking clustered victims can take. 

Implement Defense-in-Depth 

The core lesson from this and virtually every other major breach is that security best practices remain the same because they are effective. The goal is to build a layered defense to ensure that if one control fails (like an employee clicking a phishing email or a vendor's system being compromised), subsequent controls can detect, block, or limit the damage. 

• Multi-Factor Authentication (MFA): Enforce MFA on all accounts, especially for remote access, VPNs, and privileged user accounts. This prevents compromised credentials (the initial vector in many supply chain compromises) from granting immediate network access. 

• Principle of Least Privilege (PoLP): Implement rigorous role-based access control (RBAC) across all systems. Restrict administrative privileges and ensure vendor/partner accounts have only the minimum access and persistence necessary for their work. 

• Network Segmentation: Isolate critical systems and sensitive data within your network. Containment measures should be in place to ensure that a compromise in one segment, such as a vendor network or a non-essential service, cannot lead to lateral movement into core financial systems. 

• Adopt EDR/XDR/MDR: Focus on the core goal of dramatically minimizing adversary dwell time. While EDR and XDR provide the necessary visibility and correlation across endpoints and the broader environment, their success is contingent upon a mature and effective SecOps team for 24/7 monitoring and investigation. If an organization lacks this in-house capability, a 24/7 MDR service is a critical, expert-driven alternative. Without the appropriate resources—whether in-house or outsourced—alerts often lead to an all-too-common outcome: All red flags were raised, but no one was paying attention. 

• Break the Ransomware Playbooks: A necessary long-term strategy for defense against modern threats is moving beyond simply reacting to alerts and instead designing an environment hostile to adversaries. As RaaS groups increasingly rely on well-established, repeatable attack playbooks (as detailed in our whitepaper), future-proofing requires breaking these predictable attack paths. Technologies like PHASR (Proactive Hardening and Attack Surface Reduction) introduce a layer of unpredictability and dynamic controls that constantly change the victim's environment, defeating the attacker's scripted movements. 

• Operationalize Current Security Controls: A vulnerability in many organizations is not a lack of technology, but the misconfiguration and underutilization of existing controls. Enterprises must move beyond passive ownership to fully operationalize every available function. Verify that critical defensive features, such as Ransomware Mitigation, are enabled and actively protecting all managed endpoints. For specific recommendations, consult the GravityZone best practices document: https://techzone.bitdefender.com/en/tech-papers/gravityzone-best-practices.html 

Ctrl-Alt-DECODE 

This research is part of Ctrl-Alt-DECODE, Bitdefender’s newly established threat intelligence initiative. 

• Subscribe to the Newsletter

Get exclusive threat intelligence, original research, and actionable advisories directly from Bitdefender Labs and MDR teams.

• Watch the Live Series