Two South Korean teenagers were this week charged with breaching Seoul’s public bike service, Ttareungyi.
Identified only as Persons A and B, the pair, now of high school age, allegedly carried out the attack on Ttareungyi in June 2024 and stole data belonging to most of the service’s registered users.
Officials said the leak affected 4.62 million people and with Ttareungyi reportedly having around 5 million registered users, that amounts to roughly 90 percent of all users.
Person A carried out the attack that gained access to the data trove, while Person B was the one who suggested downloading it, police said. The information included user IDs, phone numbers, home addresses, email addresses, dates of birth, genders, and weights.
The Cyber Investigation Unit of the Seoul Metropolitan Police Agency confirmed the charges on Monday, saying the pair carried out the attack while still in middle school.
Police said they arrested the two teens on suspicion of violating the Information and Communications Network Act, and referred their case to the public prosecutor. They are not currently being detained pre-trial, although police twice sought to detain Person A, requests that were denied owing to their age.
The pair met on Telegram and bonded over their shared interest in information security, according to the announcement. Person B allegedly told the police that they carried out the attack to test and demonstrate their skills, while Person A exercised their right to remain silent.
Their involvement in the Ttareungyi hack was only uncovered as part of a separate investigation into what police describe as a DDoS attack on a private mobility rental company in April 2024, allegedly carried out by Person B.
After seizing the minor’s devices, police found evidence linking them to the Ttareungyi strike and the identity of Person A, the Chosun news outlet reported.
Officials notified Seoul Facilities Corporation, a government-owned company that oversees the Ttareungyi program, in January 2026 about their intention to investigate the public body regarding the security of its systems, according to Korea Times.
Police said there is no evidence the compromised data has been leaked or sold, although investigators believe the pair’s intention was to profit from the theft. ®