Russian and North Korean hackers stole 2TB of financial data from banks

Qilin's Three-Wave Attack

Bitdefender's investigative report, published on November 26, attributed the campaign to Qilin (also known as Agenda or the successor to LockBit 3.0), a Ransomware-as-a-Service (RaaS) group with Russian operators that recruits global affiliates—including North Korean hackers—to carry out high-value attacks.

The attack exploited a software supply chain vulnerability in South Korean banking middleware, allowing initial access through phishing and credential stuffing before moving laterally to core systems. Three stages:

• Phase 1 (September): Spy on 10 targets, steal 500 GB of preliminary data for spying.

• Wave 2 (mid-October): Encrypted and extracted data from 18 main victims, yielding 1.2 TB of core data.

• Wave 3 (Late October): Lightning attacks from 10 secondary entities, adding another 300 GB of stolen data.

Qilin's dedicated data leak site (DLS) on Tor announced the attack on November 20, demanding ransoms of up to $50 million per victim—supposedly a "patriotic activity" against South Korean allies in the United States, with North Korean propaganda such as "report to Comrade Kim Jong-un" being spread across forums.

The 2TB trove of data includes millions of dollars worth of personally identifiable information (PII), SWIFT credentials, and internal memos—valued at more than $2 billion as blackmail leverage, according to Chainalysis. No ransom has yet been paid, but Bitdefender warns of “data sales” on dark web marketplaces, similar to the $1.5 billion cryptocurrency heist by Lazarus Group in 2025.

Benefits of Cyber ​​Espionage Convergence

Russia and North Korea increasingly link their cyber capabilities as part of broader geopolitical cooperation, sharing tools, infrastructure, and goals.

For Russia, cyberattacks on foreign banking systems serve strategic purposes: destabilizing opponents, gathering intelligence, and facilitating ransomware revenue streams.

For North Korea, the motive is more direct—funding its sanctioned regime by stealing financial resources, accessing sensitive financial data, and enhancing its cyberwarfare portfolio.

South Korea’s banking sector is a high-value target that is technologically advanced, highly digitized, deeply integrated with global commerce, and geopolitically vulnerable. Stolen data could potentially be monetized, weaponized for future intrusions, or used to support intelligence gathering on both government and private entities.

Impact on Korean National Security

While the breach did not cause direct financial damage to customer accounts, its strategic impact was much more serious.

The data obtained could allow an attacker to:

• Perform highly sophisticated follow-up cyber intrusions.

• Impersonate banks or executives in social engineering attacks.

• exploit weaknesses in internal infrastructure.

• Mapping interbank communication patterns and payment flows.

South Korean regulators have signaled urgent audits, increased banking supervision and a comprehensive review of cybersecurity protocols. The government may also activate interagency cyber defense coordination — including intelligence sharing with the United States and Japan — given the involvement of North Korean state-linked actors.

Disclaimer: The information presented in this article is the author's personal opinion in the cryptocurrency field. It is not intended to be financial or investment advice. Any investment decision should be based on careful consideration of your personal portfolio and risk tolerance. The views expressed in this article do not represent the official position of the platform. We recommend that readers conduct their own research and consult with a professional before making any investment decisions.