South Korea Takes Down Fraudulent Online Trading Network
Category

### #OperationMidas #FraudDetection #HTSScam

Summary: South Korean law enforcement has dismantled a sophisticated fraud network that extorted $6.3 million through fake online trading platforms. The operation, known as Operation Midas, involved extensive collaboration between the Korean Financial Security Institute and various law enforcement agencies.

Threat Actor: Unnamed Fraudulent Organization | Unnamed Fraudulent Organization
Victim: South Korean Investors | South Korean Investors

Key Point :

  • Operation Midas identified 125 illegal home trading system (HTS) programs designed to impersonate legitimate financial companies.
  • Perpetrators used advanced techniques, including real-time stock price information, to create the illusion of legitimate trading.
  • Insecure development practices and operational mistakes led to the exposure of over 2.7 million files and 12TB of screenshots, aiding in the investigation.
  • 32 individuals were arrested, including two developers and one infrastructure manager, as a result of the operation.
  • K-FSI monitored the fraudulent activities for over a year, utilizing internet scanning tools to track the operations.

A South Korean law enforcement operation has taken down a large-scale fraud network that extorted $6.3m from victims with fake online trading platforms that were sophisticatedly designed to steal money.

Dubbed Operation Midas, this year-long task involved the Korean Financial Security Institute (K-FSI), a South Korean nonprofit, and several South Korean law enforcement agencies.

Sung-Wook Jang and Yong-Hyun Kim, from K-FSI, shared their experience for the first time with a global audience at Black Hat Europe in London on December 11.

Behind the Scenes of a Fake Personal Trading Network

As part of Operation Midas, K-FSI and the South Korean authorities identified 125 illegal home trading system (HTS) programs.

These online trading platforms are computer software, mobile apps, or websites offered by brokerage firms to allow individuals to trade stocks using their personal devices.

Operating from abroad, an unnamed fraudulent organization impersonated at least five South Korean financial companies promoting seemingly legitimate HTS platforms with transactions that appeared to be real.

These programs communicated with the servers of legitimate brokerage firms to get real-time stock price information and used publicly available chart libraries to create visual representations.

“However, no actual stock trades are made. Rather, the program’s core feature, a screen capture function, is used to spy on users’ screens, collect unauthorized information, and refuse to return money,” explained Jang and Kim.

Users of the fraudulent HTS platforms were also pushed to invest through YouTube broadcasts and KakaoTalk reading rooms and then siphoned off the investment.

Operation Midas: 20 Servers Seized, 32 People Arrested

However, perpetrators made a few operation security (OPSEC) mistakes that allowed K-FSI to uncover their wrongdoings.

Some of these OPSEC failures included:

  • Leaked Screenshots by directory listing, including developer’s screenshot
  • Lack of separation between crime and personal devices
  • Insecure software development and testing processes

“Sometimes, a supplier of an HTS program forgot to apply Cloudflare content delivery network (CDN) and leaked real IP address,” added Jang and Kim.

These mistakes allowed K-FSI professionals to analyze overd 170 fake HTS servers that had been collected 24/7 for nearly two months for a total of 2.7million files and 12TB of screenshots that were inadvertently exposed by the developers, including the supply organization that developed and sold the program and the operations organization that rented and operated the program they provided.

K-FSI professionals monitored this activity for over a year as well as exposed hosts using internet scanning tools like Censys.

“We watched as they used generative AI for efficient development, operated over 100 domains and servers, moved servers offshore to evade law enforcement, and extorted money from users,” Jang and Kim added.

Finally, K-FSI helped the Korean National Police Agency (KNPA) seize and analyze over 20 servers used by the fraud ring and took down the 125 illegal HTS platforms.

They also arrested 32 people involved in the scheme, including two developers and one infrastructure manager.

“After the KNPA arrests of some affiliates, a supplier moved its servers to Japan,” said Jang and Kim.

K-FSI published a report in Korean in April 2024 detailing how Operation Midas had been conducted and uncovering the criminal methods used by the perpetrators of the fraud scheme.

Source: https://www.infosecurity-magazine.com/news/south-korea-takes-down-fraudulent