"Pay up or we share the tapes": Hackers target massage parlour clients in blackmail scheme

South Korean police have uncovered a hacking operation that stole sensitive data from massage parlours and blackmailed their male clientele.

According to local media reports, the Gyeonggi Nambu Provincial Police Agency believes that 15 people were involved in a criminal scheme that saw the owners of massage parlours tricked into installing apps that claimed to offer business services - but actually helped hackers steal the private details of customers.

Customers' names, phone numbers, call logs, and text messages were reportedly stolen through the malicious app, enabling the extortionists to send threatening messages to their intended victims:

We installed cameras in the massage rooms and have your video. If you don’t pay, we’ll send it to your family and friends.

In reality, the hackers only had the customers' details, and did not have access to any video footage of what happened in the privacy of the massage parlours. However, according to police, the mere threat of exposure was enough to convince 36 people to respond by sending money to the criminals.

Victims are said to have paid amounts ranging from 1.5 million to 47 million Korean Won (approximately USD $1,000 to $32,000) each.

In all, the gang is said to have attempted to extort nearly 200 million Korean Won (approximately US $105,000) through the scheme.

Police believe that the hackers started collecting customer details from massage parlours in Seoul, Gyeonggi, and Daegu in January 2022, having tricked nine massage business owners into installing the malicious app.

The gang set up its own office in Nam District in south-central Busan, with some members tasked with exfiltrating data, some with pressuring targeted victims into paying up, and others with laundering extorted funds.

The criminal gang was exposed accidentally after an unrelated investigation by police where they discovered a malicious app on a massage parlour owner's phone.

In August 2023, the gang's alleged leader and another member were arrested, while other suspects went on the run. Police say that the fugitives have been caught since - including one who is alleged to have continued operating the scheme to extort even more money from victims while evading arrest.

Sadly there has been a long history of cybercriminals blackmailing members of the public by threatening to disclose embarrassing or sensitive information.

In the infamous case of Finnish psychotherapy provider Vastaamo, a hacker stole therapy notes of thousands of patients and threatened to release the details if they did not individually pay a ransom.

The result was long-term trauma for many of those affected, Vastaamo's CEO ultimately resigning in disgrace, and the bankruptcy of the company.

Another hacking group, known as The Dark Overlord, built a reputation for itself with similar tactics - stealing medical and other records, and then threatening to dump records publicly if they did not receive a ransom.

What makes the latest case from South Korean case particularly striking is how ordinary the victims are. The hackers were not targeting banks, hospitals, or government agencies. Instead, their victims were individuals who walked into a massage parlour expecting a private service.

The private shame of the victim was exploited in a criminal campaign that was highly effective and, if it had not been uncovered by police, could easily have gone unreported for a long time.