A hacker who stole over 1.7 billion won (about $1.18 million) in cryptocurrency using malware that secretly spoofed wallet addresses has been extradited to South Korea.
According to the National Investigation Bureau of the Korean National Police Agency, the 29-year-old Lithuanian citizen was extradited from Georgia and subsequently arrested on a court warrant.
Investigators believe that from April 2020 to January 2023, the suspect distributed malware called KMSAuto , disguising it as a Microsoft Windows activation tool . The program targeted users who were not using authorized activation tools and, according to police, was downloaded or installed approximately 2.8 million times worldwide.
The key trick was so-called ” memory hacking .” During a cryptocurrency transaction on an infected computer, the malware automatically replaced the entered wallet address with one controlled by the attacker . As a result, the user sent funds to what appeared to be the correct address, but in reality the transfer was addressed to the criminal hacker, and the error often went unnoticed until verification was performed.
According to Korean law enforcement, the infection affected over 3,100 wallet addresses, and cryptocurrency was intercepted in over 8,400 transactions . The total damage was estimated at approximately 1.7 billion won (about $1.18 million). Among the victims were South Korean residents: eight people lost a total of 16 million won (about $11,000).
The investigation began in August 2020 after a user reported the loss of a bitcoin, worth approximately 12 million won (about $8,300), when the transfer was suddenly diverted to another address.
Further analysis traced the movement of the stolen assets across six countries, including domestic cryptocurrency exchanges, and identified seven additional Korean victims.
Once the suspect was identified, South Korean police launched a joint operation in December 2024 with the Lithuanian Ministry of Justice, the prosecutor’s office, and the police. During a search of the suspect’s residence in Lithuania, 22 items were seized, including cell phones and laptops . South Korea requested an Interpol “Red Alert” to prosecute him, and in April, Georgian police arrested the man upon his entry into the country.
Seoul then submitted an extradition request, and after five years and four months of investigation, the suspect was finally brought to South Korea, according to the agency.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
