In what security experts are calling one of South Korea’s most devastating telecommunications breaches, SK Telecom suffered a sophisticated malware invasion that compromised approximately 27 million IMSI/USIM records over a three-year period from June 2022 to early 2024. The attack remained undetected until April 18, 2025, demonstrating the perpetrators’ advanced technical capabilities and meticulous operational security.
The breach’s scope exceeded SK Telecom’s 25 million subscriber base due to individual users operating multiple SIM-enabled devices, including smartphones, smartwatches, and connected IoT equipment. Investigation revealed that 9.32 to 9.82 gigabytes of sensitive mobile identity information was compromised, affecting nearly half of South Korea’s population.
Although phone numbers were exposed, investigators confirmed that names, personal identification numbers, and location data remained secure.
Despite the massive breach affecting 27 million records, sensitive personal identifiers and location tracking data escaped compromise.
Forensic analysis identified 25 distinct malware variants across 23 compromised servers, with 15 servers containing multiple infection types. The primary attack vector involved malicious code injection during legitimate security software packaging, allowing malware to install alongside SK Shieldus tools.
The predominant threats included 24 BPFDoor backdoor variants and one WebCell variant, which established communication channels with command-and-control servers for systematic data exfiltration.
The attack’s sophistication created significant investigative challenges. Missing firewall logs between June 2022 and December 2024 prevented investigators from determining the full extent of data leakage during that period.
An additional eight servers remain under active investigation by the Ministry of Science and ICT, which leads the forensic effort alongside government and private sector experts.
The compromise extended beyond individual subscribers to impact approximately 90 corporate customer organizations through infected security software. IMSI/USIM records function as unique mobile fingerprints, crucial for authentication processes and financial transactions, making this breach particularly consequential for affected users. Among the compromised data, nearly 292,000 IMEI numbers were also exposed, though experts maintain that device cloning using this information alone is technically impractical.
SK Telecom and SK Shieldus issued public apologies following disclosure. The telecommunications company implemented thorough SIM reset measures to prevent potential card cloning attacks. Authorities have implemented new code auditing protocols to strengthen software integrity verification processes across critical telecommunications infrastructure.
Early estimates suggest 250,000 users have switched providers, with projections reaching 2.5 million defections if regulatory penalties are waived. The incident ranks among the largest telecommunications breaches in South Korean history, severely damaging SK Telecom’s industry reputation.
