South Korean authorities are ramping up their investigation into a significant cryptocurrency theft that hit Upbit in November. Early assessments suggest that the attack has the marks of North Korea’s state-backed Lazarus Group. The theft, worth over $30 million, is the latest in a series of complex digital breaches linked to this elusive hacking group, which remains a major threat to the global crypto industry.
Upbit has promised to compensate users and resume operations once the breach is fully contained. However, security officials and analysts caution that this incident shows a rise in cyber activities connected to North Korea, pointing to ongoing concerns about the safety of centralized exchanges.
A New Breach Triggers Old Fears
The attack became known after Upbit confirmed that nearly 44.5 billion won, which is just over $30 million, in cryptocurrencies had been stolen from one of its hot wallets. Initial estimates had put losses at 54 billion won, but the exchange updated this figure after further checks.
In a statement about their initial response, Upbit explained that hackers accessed a wallet holding various tokens on the Solana blockchain. At least 24 Solana-based assets were taken from the affected wallet, leading the exchange to suspend all deposits and withdrawals as a safety measure. Engineers began isolating infrastructure and conducting security checks to prevent further losses.
Upbit reassured users that it would refund all impacted customers using its own reserves. This step aims to stabilize market confidence and prevent panic withdrawals. However, the exchange also announced that a full technical review of the incident is still in progress, with detailed findings expected once investigators finish their work.
Echoes of 2019: Recognizable Tactics Raise Concerns
While the exact point of entry remains unconfirmed, several cybersecurity experts and industry contacts have informed local media that this incident shows strong similarities to a 2019 breach that also targeted Upbit. In that case, attackers stole around 342,000 ETH, worth nearly $50 million at the time, using methods often linked to the Lazarus Group.
One source involved in the current investigation indicated that the tactics point to “credential-level compromise” instead of direct attacks on server vulnerabilities. They suggested that the hackers might have gained administrator access through impersonation or stolen credentials. This pattern fits previous Lazarus attacks that involved detailed social engineering and phishing schemes.
Lazarus has a history of breaching crypto organizations by targeting developers, privileged users, and system administrators. Previous tactics include spear-phishing emails disguised as business messages, Trojanized developer tools, and job offer documents with embedded malware. The aim is consistently the same: to secure administrative access without raising automated security alerts.
A Multibillion-Dollar Cyber Operation With Global Implications
Over the past decade, the Lazarus Group has turned into one of the world’s most infamous cyber-criminal organizations, believed to operate under North Korea’s Reconnaissance General Bureau. Various intelligence agencies from the United States, South Korea, and Europe have connected the group to over $3–4 billion in stolen digital assets, which experts say help sustain the country’s economy amid sanctions.
Analysts have pointed out that cryptocurrency theft plays a key role in North Korea’s illegal funding strategy. With international pressure mounting over the country’s weapons program, state-backed cyber theft has reportedly become an essential source of income. Cryptocurrencies, which can be transferred across borders without traditional banking hurdles, are prime targets.
Despite sanctions, arrests, and intense international scrutiny, the group continues to operate across multiple continents, using global exchanges, crypto mixers, and layered tactics to hide their fund movements.
Blockchain Analysis Reveals Familiar Laundering Paths
Shortly after the theft from Upbit, blockchain intelligence firm Dethective released an analysis tracing how the stolen assets were managed. The firm noted that the attackers quickly exchanged the tokens for USDC, a stablecoin pegged to the dollar known for its stability, and then transferred the funds to the Ethereum network.
This laundering route is not new. Past hacks linked to Lazarus, including the Ronin bridge incident and various exchange breaches, have followed similar patterns to exploit liquidity markets before scattering assets further into the crypto ecosystem.
A senior security official told reporters that the movement observed “lines up with Lazarus operational patterns.” He mentioned that attackers usually send stolen funds to wallets at secondary exchanges or anonymizing services, which helps them obscure direct on-chain links and complicates future attempts to recover the assets.
Investigators also highlighted the likelihood that mixers—tools designed to hide transaction origins and targets—would be used in later stages. These services have attracted increasing attention from regulators as they are central to global crypto-laundering efforts.
The Timing of the Attack Raises Questions
Another aspect of the breach that has drawn interest is its timing. Some security experts suggest that the attack may have been purposely timed with a major announcement from Upbit’s parent company, Dunamu.
Just one day before the breach, Dunamu announced a merger with Naver Corp., one of South Korea’s largest tech companies. This deal is expected to enable an eventual listing in the United States, significantly enhancing the company’s global presence and strategic position.
One official speculated that the timing might not have been coincidental, describing the breach as a possible act of “self-display,” referring to cyberattacks carried out to make a statement or send a signal. While this remains speculative, it underscores the complex links between cybercrime, geopolitics, and valuable economic activities.
Lazarus is Connected to Some of the Biggest Crypto Heists Ever Documented
The Upbit incident adds to a growing list of security breaches in 2024 and 2025 believed to involve the Lazarus Group. The organization is suspected of executing several high-profile attacks this year alone, including a February breach in which hackers stole about $1.5 billion from the exchange ByBit.
U.S. officials later attributed the ByBit hack to Lazarus’s “TraderTraitor” subgroup, which has previously targeted developers, traders, and exchange staff. The scale and technicality of that incident raised serious concerns about the group’s capabilities and resources.
Security agencies are increasingly worried about the more complex tactics employed by Lazarus. These now include AI-driven phishing campaigns, cross-chain money laundering techniques, and the exploitation of decentralized finance protocols. Analysts have cautioned that the group’s evolving skills could surpass even the defenses of major exchanges.
Upbit, Global Exchanges, and the Larger Issue of Hot Wallet Security
The Upbit breach has sparked renewed discussions about the security of centralized cryptocurrency exchanges, particularly regarding the management of hot wallets—online storage systems that facilitate quick transactions but carry risks due to continuous internet exposure.
Most exchanges keep the bulk of their holdings in cold wallets (offline storage), but hot wallets are vital for day-to-day liquidity. Due to their convenience, they also represent a significant vulnerability for the industry.
Security experts argue that even advanced security measures can fail when attackers use social engineering or compromise trusted insiders, making operational security just as critical as technical safeguards.
Regulators on High Alert as Crypto Exchanges Reevaluate Risks
After the breach, South Korea’s financial and cybersecurity regulators have stepped up their scrutiny of domestic exchanges. Authorities are likely to review Upbit’s internal controls, investigate the breach’s timeline, and issue new compliance measures if needed.
Globally, this incident may prompt renewed discussions about cyber resilience, insurance, and regulatory oversight in the crypto space. Experts warn that as state-sponsored actors become more sophisticated, exchanges must adapt—especially those operating at larger scales or maintaining significant hot wallet reserves.
An Ongoing Threat Without Easy Solutions
As the Upbit investigation unfolds, analysts stress that this latest attack highlights the wider challenges facing the crypto ecosystem. The Lazarus Group has shown itself to be highly adaptable, resourceful, and relentless. It remains one of the few criminal organizations capable of conducting multi-layered attacks across global infrastructures.
For crypto exchanges, this incident serves as a reminder that even strong defenses may not be sufficient against state-backed attackers. For regulators, it emphasizes the need for international collaboration in tracking, identifying, and isolating harmful actors. And for users, it illustrates the ongoing risks that come with digital asset markets.
Upbit has not yet shared the full results of its post-incident review. Authorities say more details will be released once the forensic analysis is completed.
