South Korean authorities are investigating whether the notorious North Korea-linked Lazarus Group was behind the latest major breach at Upbit, the country’s largest cryptocurrency exchange. The probe follows a high-impact incident in which roughly 54 billion Korean won ($36–$37 million) in Solana-based assets were siphoned from one of the platform’s hot wallets.
Upbit Confirms Hot Wallet Breach After Suspicious Solana Activity
Upbit suspended both deposits and withdrawals on Thursday after detecting abnormal movements across its Solana token holdings. The exchange later confirmed that an unauthorized withdrawal from its hot wallet had taken place, marking Upbit’s second major hot-wallet-related breach since 2019.
Authorities now believe the attackers may have exploited or impersonated Upbit’s internal administrative credentials — a tactic that closely resembles the methods used in past Lazarus-related operations.
Cybersecurity analysts also pointed out that the way the stolen funds were laundered aligns with known Lazarus mixing patterns. With North Korea’s foreign currency shortages intensifying, experts say the country has strong incentives to scale its cyber-theft operations.
Lazarus Pattern Mirrors 2019 Upbit Breach
Investigators noted multiple similarities between this attack and the 2019 Upbit hack, which resulted in the loss of $49 million and was later linked to Lazarus. Both incidents involved hot-wallet vulnerabilities and sophisticated credential-level manipulation rather than typical phishing or infrastructure attacks.
Security commentators emphasized that the group frequently leverages advanced operational security, fast fund-movement protocols, and onchain obfuscation tools — all present in the Upbit 2025 breach.
Suspicious Timing Raises Further Questions
The breach took place on Nov. 27, the same day that Upbit’s parent company, Dunamu, announced a major merger initiative with Korean tech conglomerate Naver. The coincidence has fueled speculation about whether the hackers intentionally selected the date for symbolic impact.
A cybersecurity expert quoted by Yonhap suggested that the timing may have been deliberate, stating that attackers “often have a strong desire to show off” and may have chosen the merger announcement day to amplify disruption or signal capability.
Ongoing Investigation
Upbit has since secured affected wallets and is working with law enforcement and blockchain analytics firms to trace the stolen assets. South Korean regulators and intelligence agencies are now assessing whether Lazarus’ known digital fingerprints match the activity observed during the breach.
Authorities have not yet issued a final attribution, but early indications point strongly toward the North Korea-linked hacking collective, which remains one of the most prolific state-sponsored cyber-crime groups targeting global crypto infrastructure.
Leave a comment