Two teenagers have been charged with unauthorized access and data breach regarding the personal information of 4.62 million users of Seoul's public bicycle service, known as Ddarungi. The Seoul Cyber Investigation Unit confirmed that the minors accessed the Ddarungi server resulting in data exposure that included sensitive information such as phone numbers, addresses, and dates of birth. According to police, no evidence of the misuse of the leaked information has been found as of now.

The suspects, identified to have infiltrated the Ddarungi system in June 2024, reportedly did so over two days while they were still middle school students. Their breach was initially discovered during an investigation into a previous DDoS attack against a private mobility rental firm in April 2024. Upon examining electronic devices from a suspect involved in that attack, police found data files associated with the Ddarungi service, which led to the identification and apprehension of the main perpetrator.

The investigation revealed that the minors were motivated by curiosity and the desire to demonstrate their hacking skills. They communicated over Telegram to plan the attack, with one suspect suggesting they extract user data from the Ddarungi server after discovering its vulnerabilities. While the police suspect there might have been intent to sell the data, no evidence has confirmed this claim. Investigations into the Ddarungi management for potential negligence during the data breach are also underway.