“Between April 2020 and January 2023, the hacker distributed 2.8 million instances of malware disguised as an illegal Windows activation tool (KMSAuto),” the police report.

“Through this malware, the hacker siphoned virtual assets totaling approximately KRW 1.7 billion ($1.2 million) across 8,400 transactions involving 3,100 virtual asset addresses.”

The police initiated an investigation in August 2020 after receiving a report regarding cryptojacking incidents, wherein victims’ systems were compromised by clipper malware that altered wallet addresses, steering funds to the perpetrator.

The investigation revealed malware infection caused by the KMSAuto tool, targeting no fewer than six cryptocurrency exchanges, as per the findings of investigators.

After tracing the stolen funds and identifying the suspect, a raid was conducted in December 2024 in Lithuania, resulting in the confiscation of 22 items, including laptops and mobile devices.

Analysis of the seized items yielded crucial evidence, leading to the hacker’s arrest in April 2025 while en route from Lithuania to Georgia.

The South Korean police have warned the public regarding the dangers of utilizing illegal software that violates copyright, as these tools can compromise system security by introducing malware.

This kind of software has frequently been leveraged for malware distribution. Recently, cybercriminals have impersonated the Microsoft Activation Scripts (MAS) tool to spread PowerShell scripts that delivered the Cosmali Loader malware.

It is advisable to refrain from using unofficial software product activators and, more generally, any Windows executables that are not digitally signed or whose authenticity cannot be verified.

Broken IAM isn’t just an IT problem – the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.

Get the guide