 |
Mr. A, a Chinese national suspected in the KT unauthorized micro-payment case, is escorted from the Suwon Yeongtong Police Station detention center in Gyeonggi Province to attend a court hearing for his arrest warrant review on September 18. (Photo = Yonhap News) |
[Alpha Biz= Kim Jisun] Seoul, September 22, 2025 – KT has acknowledged that backup data remains from a server at the center of hacking allegations, despite having previously discarded the equipment. The revelation raises expectations that key evidence may emerge in the investigation into KT’s unauthorized micro-payment scandal.
According to documents submitted by KT to Rep. Choong-kwon Park of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, KT confirmed the existence of the backup data and shared it with a joint public-private investigative task force on September 18. The discarded server had been flagged by hacking-specialist media outlet Frac, which reported allegations of a breach earlier this year.
In August, Frac, citing whistleblower reports from white-hat hackers, alleged that the North Korean hacking group “Kimsuky” had carried out sustained attacks on KT, LG Uplus, and several South Korean government agencies. According to the report, authentication certificates and private keys used in KT’s remote consultation system were discovered on a “Kimsuky server.”
While Frac’s hacking allegations are technically separate from the unauthorized micro-payment scandal, industry observers believe the two may be connected. Experts note that bypassing ARS authentication cannot be achieved using illegal femtocell base stations alone, suggesting that a separate server breach to obtain personal data may have taken place.
KT has consistently denied hacking allegations, even discarding the server in question. On July 19, the Korea Internet & Security Agency (KISA) asked KT to share evidence of possible data leakage, but KT replied on July 21–22 that “no intrusion had occurred.” On August 12, when KISA made a renewed request for the server’s data, KT reported that it had already been disposed of—prompting suspicions of intentional destruction.
However, following public scrutiny over the unauthorized payment scandal, KT reversed its stance. Based on a four-month investigation conducted by an external firm from May to September, KT reported four confirmed intrusion cases and two suspected incidents to KISA on September 18. It was during this process that the backup data was identified and shared with the joint investigative task force.
Alphabiz Reporter Kim Jisun(stockmk2020@alphabiz.co.kr)
