South Korean authorities are investigating whether North Korea's notorious Lazarus hacking group orchestrated a $36 million breach at the country's largest cryptocurrency exchange, with the attack landing exactly six years after the platform's previous major security incident attributed to the same state-sponsored actors.
Upbit suspended deposits and withdrawals Thursday after detecting unauthorized transfers of approximately 44.5 billion won ($36 million) in Solana-based assets from a hot wallet to unknown external addresses.
The breach occurred at 4:42 a.m. local time on November 27, prompting immediate emergency protocols and a platform-wide freeze on all transaction services.
Government and industry sources told Yonhap News Agency that investigators analyzing wallet flows and intrusion vectors now suspect attackers either compromised an administrator account or successfully impersonated an internal operator - tactics closely mirroring the 2019 incident when 342,000 ETH worth $50 million were stolen in an attack later linked to Lazarus and related North Korean group Andariel.
What Happened
The breach affected more than 20 Solana ecosystem tokens including SOL, USDC, BONK, Jupiter, Raydium, Render, Orca and Pyth Network. Dunamu, which operates Upbit, confirmed the unauthorized withdrawals and pledged full reimbursement to customers using the exchange's operational reserves. The company reported holding 67 billion won in reserves for hacks or system failures as of September, under South Korea's crypto user protection law.
"We have identified the exact amount of digital assets that were leaked, and we will fully cover the loss with Upbit's own assets so that customers are not affected in any way," said Oh Kyung-seok, CEO of Dunamu, in a statement. The exchange moved remaining assets to cold storage to prevent additional withdrawals while forensic teams investigated.
Upbit froze approximately 2.3 billion won ($1.6 million) worth of Solayer tokens through on-chain measures and is coordinating with token issuers to freeze additional traceable assets. Blockchain forensics firms identified rapid transfers across multiple wallets and mixing activity consistent with previous Lazarus laundering patterns, according to security officials.
"Instead of attacking the server, it is possible that hackers compromised administrators' accounts or posed as administrators to make the transfer," a government official told Yonhap. The approach points to targeted account manipulation rather than a direct attack on Upbit's infrastructure, reinforcing comparisons to previous Lazarus operations.
Regulators from the Ministry of Science and ICT, the Financial Services Commission and other supervisory bodies have launched on-site inspections of Upbit's systems, focusing on hot wallet key management and internal network security. The exchange said it is conducting a comprehensive review of its entire digital asset deposit and withdrawal system and will resume services sequentially once safety is confirmed.
Blockchain security firm CertiK observed that the speed and scale of withdrawals resembled previous Lazarus-related attacks, though it does not yet have definitive on-chain evidence. The firm followed fund flows of over 100 exploiter addresses on Solana and continues monitoring movement to trace connections to Lazarus-related laundering networks.
The timing of the attack has fueled speculation about the hackers' motives. The breach occurred on the same day Naver Financial, a subsidiary of Korean internet giant Naver, announced a $10.3 billion stock-swap deal to acquire all of Dunamu's equity. The merger would make Dunamu a wholly owned subsidiary and represent one of the most consequential corporate transitions in South Korean crypto.
"Hackers tend to have a strong desire to show off," a security expert told Yonhap, suggesting attackers may have intentionally chosen November 27 to maximize attention during the high-profile merger announcement. The date also marked the sixth anniversary of Upbit's 2019 hack to the day.
Also read: U.S. Senate Schedules Dec. 8 Session On Bill That Would Clarify Crypto Regulatory Authority
Why It Matters
The Upbit breach represents the latest entry in what has become a record-setting year for cryptocurrency security incidents. Losses from hacks and exploits exceeded $2.4 billion in 2025, with the massive $1.5 billion Bybit exchange hack in February dominating the total. The Bybit attack - the largest in crypto history - was also attributed to North Korea's Lazarus Group.
According to blockchain security firm CertiK, the first half of 2025 witnessed $2.47 billion in losses due to hacks, scams and exploits, representing a nearly 3 percent increase compared to $2.4 billion stolen in all of 2024. Wallet compromise emerged as the costliest attack vector with over $1.7 billion stolen across 34 incidents. Phishing attacks accounted for the highest number of security incidents with 132 breaches and $410 million stolen.
The Lazarus Group has repeatedly employed a variety of tactics, moving from exchange intrusions to supply chain attacks and compromise of developer environments. The group has deployed custom malware clusters, social engineering lures and massive laundering infrastructure, routing stolen cryptocurrency through mixers and bridges across different chains. Security experts note that North Korea, facing foreign currency shortages, uses stolen cryptocurrency to fund regime activities.
In the 2019 Upbit attack, investigators concluded that more than half the stolen ETH was laundered through exchange accounts created with false identities, using methods typical of Lazarus including wallet hopping and mixing techniques. The group has previously targeted crypto platforms to maximize impact and exposure, suggesting attacks may be deliberately staged to exploit heightened public attention.
"It is their standard approach to scatter tokens across multiple networks to break tracking," a security official said. Blockchain analysis provider Dethective reported that wallets linked to the suspected hacker have already begun moving funds, indicating the laundering process has commenced.
The breach at Upbit also highlights persistent vulnerabilities in hot wallet infrastructure that remains connected for operational purposes. While cold wallets storing the majority of exchange assets remained secure, hot wallets - which handle active trading and withdrawals - continue to present attractive targets for sophisticated attackers. Even long-standing platforms that have undergone numerous security audits have not been spared, with the $128 million Balancer protocol hack in November demonstrating the breadth of the threat landscape.
Upbit's ability to fully reimburse customers from operational reserves provides some reassurance, but the incident represents a significant direct financial hit to the exchange and Dunamu as it navigates integration with Naver Financial. The merger had been positioned as a strategic move to invest 10 trillion won over five years to develop AI and Web3 technology infrastructure in South Korea. The hack landing hours after the acquisition announcement creates an awkward backdrop for the newly combined entity.
Authorities continue tracking the stolen assets through blockchain analysis while conducting forensic reviews of Upbit's security infrastructure. The exchange has not provided a timeline for resuming deposit and withdrawal services, though security audits following incidents of this magnitude typically require several days or longer depending on findings.
Read next: BAT Leads Social Tokens Rally With 100% Surge After Brave Browser Reached 101 Million Users