Full Report
On December 4, 2025, a 17-year-old was arrested in Osaka under Japan’s Unauthorized Access Prohibition Act. The young man had run malicious code to extract the personal data of over 7 million users of Kaikatsu Club, Japan's largest internet cafe chain. When asked, the young man shared his motivation for the hack: he wanted to buy Pokémon cards. In a sense, this is a fairly conventional story.
Analysis Summary
# Incident Report: AI-Assisted Breach of Kaikatsu Club
## Executive Summary
In December 2025, a 17-year-old non-technical individual was arrested for exploiting the systems of Kaikatsu Club, Japan’s largest internet cafe chain. Using AI-assisted coding tools, the attacker exfiltrated personal data belonging to over 7 million users. The incident highlights a significant shift in the threat landscape where advanced Large Language Models (LLMs) enable unskilled actors to execute high-impact breaches.
## Incident Details
- **Discovery Date:** December 4, 2025
- **Incident Date:** Late 2025
- **Affected Organization:** Kaikatsu Club
- **Sector:** Hospitality / Entertainment (Internet Cafe Chain)
- **Geography:** Osaka, Japan
## Timeline of Events
### Initial Access
- **Date/Time:** Circa late 2025
- **Vector:** Exploitation of web vulnerabilities via AI-generated malicious code.
- **Details:** The attacker utilized LLM-backed agent systems to develop code capable of bypassing standard security protocols despite having no formal technical background.
### Lateral Movement
- **Details:** The attacker moved from initial web entry points to backend databases housing user information, guided by AI-assisted discovery techniques.
### Data Exfiltration/Impact
- **Details:** Malicious code was executed to extract the personal records of approximately 7 million customers. The motivation was cited as personal financial gain to purchase Pokémon cards.
### Detection & Response
- **How it was discovered:** Law enforcement investigation led by Japanese authorities following unauthorized access alerts.
- **Response actions taken:** Arrest of the suspect in Osaka and subsequent filing of charges under the Unauthorized Access Prohibition Act.
## Attack Methodology
- **Initial Access:** AI-assisted development of malicious code (likely targeting web-facing vulnerabilities).
- **Persistence:** Not explicitly detailed, though the volume of data suggests sustained access.
- **Discovery:** AI agents used to identify database structures and high-value targets.
- **Collection:** Automated scripts to aggregate personal user data.
- **Exfiltration:** Systematic extraction of 7+ million user records.
- **Impact:** Massive data breach resulting in legal action and systemic reputational damage.
## Impact Assessment
- **Financial:** High potential cost related to legal penalties, victim notification, and security remediation.
- **Data Breach:** Over 7,000,000 sets of personal user data compromised.
- **Operational:** Disruption of customer trust and potential regulatory audits under Japanese privacy laws.
- **Reputational:** Significant public fallout for Japan's largest internet cafe chain.
## Indicators of Compromise
- **Behavioral indicators:** Unusual query patterns hitting user databases; automated extraction behavior originating from unexpected internal or external sources.
- **Technique:** "N-day" vulnerability exploitation executed within an accelerated timeframe (under 44 days).
## Response Actions
- **Containment:** Secured affected databases and closed entry points exploited by the malicious code.
- **Eradication:** Removal of injected code and scripts.
- **Recovery:** Restoration of secure operations and cooperation with Osaka police.
## Lessons Learned
- **Lowered Barrier to Entry:** The primary lesson is that technical sophistication is no longer a prerequisite for high-impact cybercrime due to the availability of agentic AI coding tools.
- **Zero-Day Pressures:** Attackers using AI can now develop exploits for known vulnerabilities faster than organizations can patch them (Time-to-exploit reaching historic lows).
## Recommendations
- **AI-Driven Defense:** Implement AI-based security monitoring to detect machine-speed attacks and anomalous behavior.
- **Vulnerability Management:** Prioritize rapid patching cycles, as AI tools have reduced the "safe" window for patching to less than 40 days.
- **Enhanced Data Protection:** Utilize encryption and strict access controls (Zero Trust) for databases containing large volumes of personal information to mitigate the impact of internal or external breaches.