Introduction
Ten years ago, Korea saw large-scale credential leaks centered around major portals, and the secondary damage was real. Services like points, gift vouchers, and easy-pay systems — where a stolen account could be immediately monetized — took significant hits.
The damage was serious even then. But looking back, the attacks of that era didn’t look like a single profitable operating structure the way they do today.
Now it’s different. Leaked credentials are no longer just a list of login attempts. They’re the starting point for ATO (Account Takeover), which flows into theft of stored-value assets like points and gift cards, and the proceeds cycle back into funding the next round of attacks.
Related Video
Not Isolated Incidents — Connected Operational Traces
What made me re-examine this problem wasn’t simply that brute-force login attempts were up. It was seeing block requests against domestic services, login attempt logs, forum spam patterns, Telegram-luring accounts, and prepaid SIM recruitment signals together — and noticing that individual incidents weren’t isolated events. They looked like traces of a connected operation.
For example, an IP first appears in the context of credential stuffing. But following that IP or adjacent ranges reveals the same operational fingerprints: repetitive forum spam for prepaid SIMs, fast loans, and microcredit; funneling people to Telegram handles; shared nicknames and promotion patterns.
These show up with almost no record in global reputation services. But domestic searches and repeated pivots surface the same or similar operator traces.
This is the point where I stopped seeing this as mere spam or one-off account theft. It looks more like a Korean-style Cybercrime-as-a-Service (CaaS) supply chain — loosely divided by labor, but interconnected.
Paradigm Shift: From Theft to Supply Chain
| Dimension | 10 Years Ago | Today |
|---|---|---|
| Framing | One-off theft | Self-reproducing operation |
| Target | Direct cash and large DBs | Stored-value assets (points, gift cards) |
| Actor | Individual or small hacker groups | Loosely divided CaaS supply chain |
| End goal | Cash out and disappear | Crypto conversion and infrastructure reinvestment |
No single person runs everything. Resources and roles are separated and connected — more like a corporate structure than individual crime.
The four steps:
- Credential Supply — acquiring the initial material for credential stuffing
- Infrastructure Procurement — residential proxies, VPS, communications channels
- Asset Monetization — laundering stolen points and gift cards
- Profit Reinvestment — channeling proceeds back into the next attack cycle
The Real Role of Crypto
Crypto isn’t just background here. In my view, it’s the axis that transforms this structure from a one-off crime into a repeatable operating model.
Stolen points and vouchers get converted to cash. That cash converts to crypto — easier to move, store, and distribute. And those funds flow back into purchasing leaked credentials, securing proxies and VPS infrastructure, running automation tools, and procuring communications channels.
Crypto is not just a withdrawal mechanism.
It’s a recycling engine — one that converts stolen assets into operating capital for the next attack.
The loop: Leaked credentials → ATO → Stored-value monetization → Crypto conversion → Infrastructure reinvestment → repeat.
Why Korea?
The structure works on top of Korea’s specific characteristics. Korea has an exceptionally developed ecosystem of points, gifticons, mobile vouchers, and stored-value services. Stealing a single account often translates directly to financial value.
At the same time, local patterns — prepaid SIM recruitment, identity theft, community forum spam, Telegram funneling — aren’t captured well by global reputation databases. “Not showing up on AbuseIPDB” doesn’t mean clean infrastructure.
The numbers back this up:
- Msafer (identity theft prevention service) usage grew from 1.23 million in 2023 to 20.09 million in November 2025 — a 16x increase (Seoul Economy)
- Telecom dispute mediation filings hit a record 2,123 cases in 2025, including 217 identity-theft-related disputes (Ilyo Sisa)
- “Home appliance subscription” installment loan fraud repeatedly targeting people in their 20s and 30s (SBS via BJC Journal)
These don’t prove a single unified organization. But they signal that reuse of leaked data and identity-based monetization have already grown into a substantial industry.
Why CAPTCHA Alone Isn’t Enough
From this vantage point, hardening CAPTCHA alone is insufficient. CAPTCHA increases friction at one login page. But if attackers already have credential lists, separated automation infrastructure, monetization channels, and fund-cycling operations — CAPTCHA doesn’t stop the broader structure.
I covered this in The CAPTCHA That Became a Free Automatic Door for Hackers: a PoC pipeline using Playwright, Whisper, and an LLM agent to automatically process audio CAPTCHAs with 100% local tools and zero paid APIs. Research shows reCAPTCHA audio challenges have been solved in an average of 5.42 seconds at 85.15% accuracy. CAPTCHA is necessary friction, but it can’t cut the monetization and reinvestment loop that follows account compromise.
A New Paradigm: Read the Entire Behavioral Network
What’s actually needed isn’t better login defense in isolation. It’s the ability to read the entire behavioral network.
The focus of defense must shift from a single point to lines and networks:
- Reuse patterns of leaked credentials
- Anomalous login detection by IP
- Points and voucher conversion patterns
- Identity theft and fraudulent account opening signals
- Telegram-based recruitment traces
- Role separation between residential proxies and VPS
- The capital recycling structure behind it all
The important thing isn’t reporting individual IPs one by one. It’s reading the operating model behind them.
VPS ranges appearing repeatedly in domestic attacks are tracked in the anonymous-vps repository — a reference for the anonymous infrastructure commonly used in these operations.
Conclusion
If the account theft of the past was a “theft problem,” today’s account takeover is closer to a self-reproducing criminal operating structure mediated by crypto.
From blocking to dismantling. From reporting individual IPs to analyzing business models.
If yesterday’s account theft was a simple “stealing problem,” today it’s a criminal enterprise running on crypto. Dismantle the business model.
The observations and pivot results I’ve been building are accumulating in the public repository PointPivot. More detailed investigation notes, IOCs, and cluster analysis can be found there.
References
- PointPivot Project
- anonymous-vps: Anonymous Attack Infrastructure VPS Ranges
- The CAPTCHA That Became a Free Automatic Door for Hackers
- ‘Home Appliance Subscription’ Installment Loan Fraud Reality
- Unknown Phone Plan Opened, Then a ₩2M Installment Bill
- Identity Theft Prevention Service Hits 20 Million Cases