South Korea’s largest cryptocurrency exchange, Upbit, is currently under scrutiny by regulators following a significant hack that led to the unauthorized withdrawal of approximately $36.9 million in assets on the Solana (SOL) network. The breach impacted over 20 different tokens and has prompted Upbit to freeze assets on its platform while an investigation unfolds.

Lazarus Group Tied To Upbit Hack

Authorities are now investigating the possibility of North Korean involvement in the cyber attack. Reports suggest that a group affiliated with North Korea’s intelligence agency, the notorious Lazarus Group, may have orchestrated the hack, which Upbit has described as an “abnormal withdrawal.” 

This group has been consistently linked to several high-profile crypto heists in recent years, and the US Federal Bureau of Investigation (FBI) has identified North Korean cyber operations as one of the most sophisticated and persistent threats.

The recent attack coincidentally occurred just days before the sixth anniversary of a previous major breach, in which Upbit lost 342,000 Ethereum (ETH) to North Korean hackers. 

According to an unnamed government official, this latest hack bears similarities to a 2019 incident in which approximately 58 billion won in cryptocurrencies was stolen, also attributed to the Lazarus Group.

In response to the attack, the South Korean National Police Agency has launched an investigation into the matter, although officials have not provided further comments on the case. Upbit’s operator, Dunamu, confirmed that an in-depth investigation into the cause and extent of the asset outflow is currently underway.

Crypto Exchange Moves Funds To Cold Storage

The cryptocurrency exchange’s CEO Oh Kyung-seok stated that as soon as abnormal withdrawal activity was detected, Upbit promptly suspended all deposit and withdrawal services. 

“We are conducting a comprehensive inspection, prioritizing the protection of member assets,” he said in a notice to users. Following the discovery of the unauthorized transactions, Upbit has taken steps to freeze the affected funds wherever possible.

To prevent any further unauthorized transfers, the exchange has shifted all remaining assets to cold storage, ensuring “a secure environment for funds.” 

Upbit is also said to be working with relevant project teams to freeze assets on-chain, having already blocked a portion of the stolen funds related to the cryptocurrency Solayer (LAYER). The exchange has indicated that deposits and withdrawals will only resume once full security checks are completed.

Dunamu has vowed to reimburse customers for any losses with business funds as part of its commitment to its users. It remains to be seen what additional information the country’s authorities will release in the coming days, as well as potential refund deadlines for affected individuals.  

Featured image from DALL-E, chart from TradingView.com 

South Korea’s largest cryptocurrency exchange, Upbit, is facing a second major security crisis after 44.5 billion won (around $30–32 million) in digital assets were drained from a hot wallet, with authorities “strongly” suspecting North Korea’s Lazarus Group.

According to ICT industry sources and government officials cited by Yonhap News on November 28, investigators are focusing on Lazarus, a hacking unit under North Korea’s Reconnaissance General Bureau, as the likely perpetrator. The group was also suspected in Upbit’s 2019 breach, when approximately 58 billion won in Ethereum was stolen.

North Korean Crypto Hackers Strike Again

The latest incident again centers on a hot wallet — an internet-connected operational wallet — replicating the core vulnerability of 2019. A government official quoted by Yonhap said the attack likely did not involve a deep server exploit but instead an administrative compromise: “Rather than a server attack, it’s possible they compromised an administrator account or impersonated an administrator to transfer funds,” adding that because the earlier hack used this method, “we consider this approach the most likely.”

Security experts point to the post-hack on-chain behavior as key circumstantial evidence. After the theft, the funds were rapidly “hopped” through other exchange wallets and then subjected to “mixing,” a laundering technique designed to break traceability.

One expert noted that “funds were hopped to other exchange wallets before mixing occurred. This can be seen as the modus operandi of the Lazarus Group,” adding that “once mixing occurs, transactions become untraceable.” Because FATF member countries cannot legally operate mixing services, the expert argued it is “highly likely North Korea was responsible.”

The timing has raised additional suspicion. The hack occurred on November 27, the same day Naver and Upbit operator Dunamu held a high-profile joint press conference at Naver’s “1784” headquarters to present their group-integration and AI/Web3 expansion strategy.

A security expert suggested the date may have been intentionally chosen: “Hackers often have a strong desire to show off. It’s possible they chose the 27th as the hacking date to flaunt their timing, selecting the very day of the merger announcement.” The attack also lands almost exactly six years after Upbit’s 2019 hack, which occurred on November 27.

Regulatory and supervisory bodies have moved quickly. Following a December interpretation by the Financial Services Commission that virtual asset exchanges’ user transaction data falls under the Credit Information Act, the Financial Supervisory Service and the Korea Financial Security Institute have launched an on-site inspection of Upbit. The Korea Internet & Security Agency has joined to provide technical support.

At press time, the total crypto market cap stood at $3.07 trillion.