TL;DR The "Korean Leaks" campaign showcases a sophisticated supply chain attack against South Korea's financial sector. This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet) leveraging Managed Service Provider (MSP) compromise as the initial access vector.
When preparing data for the Bitdefender Threat Debrief | October 2025, we noticed a significant departure from established ransomware trends. The top-five most impacted countries are consistently the US, Canada, and major Western European nations. However, for this period, South Korea (KR) suddenly became the second most-targeted country, with 25 victims claimed in a single month.
Monthly count of ransomware victims in South Korea (September 2024 – September 2025), highlighting the unusual spike in September 2025
This anomaly prompted an immediate investigation. Our initial analysis quickly revealed that the entire surge was attributed exclusively to the Qilin ransomware group. We also observed a high degree of industry focus: with the exception of one construction firm, every victim was in the financial services sector.
This strong concentration in one country and one sector signals a highly targeted, purposeful campaign, and we decided to investigate the whole operation.
The group behind this surge is Qilin, which has led our Ransomware-as-a-Service (RaaS) statistics for several months. All claimed victims were posted to their Dedicated Leak Site (DLS) - a private Tor site used by double-extortion groups to publish exfiltrated data and pressure non-paying victims. While named after a Chinese mythological creature, Qilin's origins are likely Russian, following the standard RaaS model. One of the founding members (BianLian) communicates in Russian and English, they are very active in Russian-speaking forums, and the operational rule of avoiding targets in the Commonwealth of Independent States (CIS) is a common characteristic of Russian-based operations.
What makes Qilin particularly interesting is their self-identification as political activists, as evidenced in their public statements on their leak site.
Qilin's self-identification as 'political activists' on WikiLeaksV2. WikiLeaksV2 is a public-facing website used to post political manifestos and leak stolen victim data outside the dark web, increasing pressure on targets.
This makes Qilin a living example of a trend we predicted for 2025: that hacktivism would re-emerge, leveraging ransomware's massive financial leverage. It is possible the 'activist' label began as genuine conviction; however, the power of a leading RaaS platform and its sheer profitability inevitably shifts the focus. The group's sheer scale, with almost 1,000 ransom victims claimed to date, demonstrates a focus on mass revenue generation rather than selective political targeting. Money becomes the chief objective, though their political identity remains a helpful lens to distinguish friends from enemies.
Ransomware-as-a-Service (RaaS) operates like a gig economy. The main RaaS operators are platform entrepreneurs who provide the branding, software and infrastructure, taking only a small cut of the profits, typically 15% to 20%. The actual hacking is executed by the affiliates - a diverse group of hackers (sometimes calling themselves "involuntary penetration testers") - who, acting like a contractor or freelancer, earn the majority of the money.
Since the operators are almost exclusively based in Russia, and the affiliates are highly anonymous and varied, attacks are usually attributed to the well-known operator group even though the affiliates are doing the work and keeping the largest profit. Our next step was therefore to analyze the true attackers, not the group that posted the public threat.
Tracking Qilin's individual hackers (affiliates) is extremely difficult, as their numbers and nationalities are kept secret, and members constantly shift allegiances. Qilin has proven willing to collaborate with diverse partners, including the infamous English-speaking Scattered Spider group.
The most surprising partnership began in early 2025, when Moonstone Sleet, a hacking group tied directly to North Korea, signed on as a Qilin affiliate. We're going to call "bingo" on our second 2025 prediction here. We predicted that state-sponsored groups (APTs) would start using criminal RaaS platforms, merging espionage with crime. This intentional blurring of threat actor categories helps state actors gain money and inflict great damage while ensuring plausible deniability, making it almost impossible to hold the nation accountable.
Moonstone Sleet showed only a handful of attacks during their initial experiments with Qilin ransomware. While this quiet period may seem unusual, a dip in consecutive attacks is typical for hackers focusing on a larger campaign. For example, the Cl0p ransomware campaign successfully exploited a vulnerability in December 2024, but the resulting mass of victims only appeared months later, contributing to a victim count that made February 2025 the historical peak for RaaS victim reporting.
The recent surge in data leak publications from attacks on South Korean businesses is a classic example of a major public spike following a quiet period of preparation, and their targets align perfectly with this state-sponsored group's strategic objectives. Qilin’s collaboration with a North Korean threat actor like Moonstone Steel in the Korean Leak campaign remains both plausible and probable.
Join the expert analysis and live discussion around Korean Leaks on our next Ctrl-Alt-DECODE episode.
The campaign that Qilin named "Korean Leaks" was rolled out in three distinct publication waves, and many of their leaks were publicized in September 2025. Of the 33 total victims, 28 are currently public. This campaign focused almost entirely on South Korean financial firms, specifically asset management companies. The subsequent removal of 4 victim posts from the leak site is highly unusual and suggests the results of negotiations or a unique internal policy, as posts typically remain public even after a ransom is paid.
The attackers provided public proof of the breach by sharing nearly 300 photos of exfiltrated documents on the DLS. However, the true scope of each leak is poorly documented as the majority of victims' posts lack detailed data metrics, such as file counts or GB size. Despite this, the few documented cases collectively confirm the theft of over 1 million files and 2 TB of data. Given the missing metadata for most victims, the overall reach of this operation is potentially much larger than what is publicly known.
During our review of the victims and the accompanying announcement text, we noticed a strange communication pattern. The attackers, who named this campaign "Korean Leaks" themselves, did not rely solely on the standard cybercrime tactic of directly pressuring a compromised business (and its investors, partners, and customers). Instead, they used significant amounts of propaganda and political language and targeted the entire South Korean country and financial industry, a departure from typical cybercrime communication.
In the RaaS model, the DLS posts and other assets, such as ransom notes, are typically written and published by operators to ensure brand consistency and maintain control over the extortion narrative. Qilin highlights this benefit on darknet forums to attract affiliates, offering: “An in-house team of journalists who, in cooperation with legal experts, can help you write texts for blog posts and also assist with pressure during negotiations.”
Our statistical analysis of the Korean Leaks offers strong evidence that the Qilin core team, rather than the affiliate, was responsible for the final editing and publication of the DLS text. The posts contain several of the core operator's signature grammatical inconsistencies. However, this control over the final draft does not mean the affiliate was excluded from having a critical say in the key messaging or overall direction of the content.
An unusual political angle was used on August 20, 2025, with the DLS post for a victim in the construction industry. This post preceded the launch of the main Korean Leaks campaign. The text included an explicit threat of military intelligence value: "...the published data includes plans and drawings for each of the company's hundreds of completed projects. Schematics of such projects as bridges, tunnels, and liquefied natural gas tanks are now publicly available - information that should be kept secret because it is of great interest to other countries. A report on what was found in these documents is already being prepared for Comrade Kim Jong-un."
Given that subsequent victim posts immediately dropped the North Korean focus to concentrate on the South Korean element of the leaks, it is highly plausible that affiliates expressed strong discontent with this ideological inclusion, forcing the editorial team to shift the narrative's attention to the victims' national origin instead of a foreign regime.
The first phase of Korean Leaks, Wave 1, was characterized by a highly coordinated release, with 10 victims from the financial management sector all documented on September 14, 2025. All posts closed with the following boilerplate announcement: "We have gained access to a gigantic mass of data of Korean companies operating in the financial management and stock market. The global leak affected dozens of companies, the data of which we will be publishing here. Stay tuned for updates."
The entire campaign was framed as a public-service effort to expose systemic corruption, exemplified by the threats to release files that could be "evidence of stock market manipulation" and names of "well-known politicians and businessmen in Korea." The core goal was achieved in the concluding post, which declared the series of attacks over, and alleged that the victims were all "one network of fraudsters." The final line served as a public mandate, asserting that "Law enforcement agencies and independent journalists in Korea are obliged to look into these documents," effectively shifting the burden of the damage and investigation onto Korean authorities.
Example victim listing on Qilin's Data Leak Site, illustrating the first wave of the campaign
The second phase of Korean Leak, Wave 2, sustained the attack, publishing nine victims over a three-day period, from September 17, 2025 to September 19, 2025. In contrast to Wave 1’s formal conclusion, this series closed with an escalating threat across all posts: "We continue to publish data on companies in the Korean financial market. We have data on dozens of companies. Korean Leak is a reason to withdraw money from the country's stock market, because we have a volume of data whose publication will definitely deal a serious blow to the entire Korean market. And we will definitely do it."
This messaging shifted from merely threatening the victim companies to threatening the entire Korean stock market, creating a systemic risk narrative. To further pressure regulatory bodies, one post pointedly referenced local laws, stating: "South Korea has one of the strictest personal data protection laws in the world. We hope that the relevant authorities will take an interest in this case. After all, the existence of such companies is a disgrace to the country. See for yourself."
Example victim listing on Qilin's Data Leak Site, illustrating the second wave of the campaign
The third phase of Korean Leaks, Wave 3, concluded the campaign, documenting nine additional victims over a week-long period from September 28, 2025, to October 4, 2025. This final wave was notable for another shift in the messaging strategy.
The initial four victim posts maintained the highly aggressive, systemic threat that characterized Wave 2, closing with the same statement about a national financial crisis.
However, a noticeable change happened with the fifth victim post (released three days after the fourth). For this victim and the subsequent four, the operator abandoned the threat of a systemic market crash. The focus returned to individual victim pressure, using language that more closely resembled Qilin's typical, financially motivated extortion messages directed at a single business.
Example victim listing on Qilin's Data Leak Site, illustrating the third wave of the campaign
The final significant activity following the Korean Leaks campaign was the DLS post of a new victim on October 22, 2025. This victim, which matched the financial services and asset management profile of the Korean Leaks targets, was listed with over 1TB of exfiltrated data and 15 proof-of-compromise photos. The post lacked any mention of the "Korean Leak" branding, despite fitting the exact victim profile, indicating the operator had retired the campaign name. Interestingly, the company was removed from the DLS after only one day. This rapid removal mirrored that of three earlier victims; the justification behind this and similar retractions remains unknown.
The tight clustering of all victims within a single financial and asset management niche during the "Korean Leaks" campaign strongly indicates that the campaign was not built on individualized targeting. The sheer speed and size of the attack waves, over a limited time frame, point to a shared liability that connected the victims.
We tested three competing hypotheses for the targeted approach of this campaign.
Our most probable hypothesis - the compromise of an upstream vendor - was confirmed by press reporting on September 23, 2025. The Korea JoongAng Daily stated that more than 20 asset management firms suffered breaches after their servers were hacked in a ransomware attack, noting that the common link among the affected firms is a domestic IT service provider that manages systems for asset managers.
The MSP compromise that triggered the “Korean Leaks" operation highlights a critical blind spot in cybersecurity discussions. While supply chain attacks are a constant topic of discussion, the focus tends to be on upstream software supply chain compromise including the terrifying and high-impact risk of trojanized code or updates. While these attacks are undeniably catastrophic, they remain statistically rare.
In fact, a far more common and often ignored threat manifests in operations that use supply chain attacks. The threat, a simple one, is highly effective. It involves the compromise of a third-party service provider. Exploiting a vendor, contractor, or MSP that has access to other businesses is a more prevalent and practical route that RaaS groups seeking clustered victims can take.
The core lesson from this and virtually every other major breach is that security best practices remain the same because they are effective. The goal is to build a layered defense to ensure that if one control fails (like an employee clicking a phishing email or a vendor's system being compromised), subsequent controls can detect, block, or limit the damage.
This research is part of Ctrl-Alt-DECODE, Bitdefender’s newly established threat intelligence initiative.
Get exclusive threat intelligence, original research, and actionable advisories directly from Bitdefender Labs and MDR teams.
See the expert analysis on the Korean Leaks on our next Ctrl-Alt-DECODE episode (or catch up with our previous episodes).