$36M Vanishes at Upbit; South Korea Suspects Lazarus’ Return

South Korean authorities are intensifying their investigation into the recent hack targeting Upbit, the country’s largest cryptocurrency exchange, as evidence increasingly suggests involvement by the North Korea-linked Lazarus Group. 

Parallels to 2019-Upbit Breach: Could it be Lazarus?

According to reports from Yonhap News Agency, which cited government and industry officials, regulators are preparing an on-site inspection of the exchange as they examine the methods used in the attack.

Investigators have highlighted striking similarities between the latest exploit and an earlier attack on Upbit in 2019. Authorities said the techniques used in the 2025 breach align closely with the tactics associated with Lazarus, which was previously identified by South Korean police as the group responsible for the theft of 342,000 ETH from the exchange in November 2019.

Upbit initially froze deposits and withdrawals on Thursday after detecting abnormal activity involving Solana-based assets. The exchange later confirmed that the incident resulted in the unauthorized withdrawal of approximately 54 billion Korean won (around $36–$37 million) from a hot wallet. After further analysis, the figure was revised to roughly 44.5 billion won (about $30.4 million). 

Onchain Activity Reinforces Concerns

A government official told Yonhap that instead of direct server infiltration, the hackers likely infiltrated administrator accounts or impersonated system admins to authorize fraudulent transfers. This method of compromising or mimicking privileged credentials has strengthened investigators’ belief that the same group may once again be responsible.

Blockchain analytics firm Dethective reported that a wallet linked to the attacker quickly began converting stolen Solana into USDC before bridging the funds to Ethereum. Security experts noted that this pattern of laundering, including the use of mixers, is consistent with the methods employed by Lazarus in previous high-profile crypto thefts. Analysts also pointed to North Korea’s ongoing shortage of foreign currency as a possible motive for the operation.

Attack Coinciding With Major Corporate Merger

The timing of the breach has further fueled speculation. The attack occurred on November 27, the same day a major merger involving Upbit’s parent company, Dunamu, was officially confirmed. Naver Financial announced that Dunamu would become its wholly-owned subsidiary as part of a strategic effort to “secure future growth momentum based on digital assets.”

The coincidence raised questions about whether the date was intentionally selected. One security expert suggested to Yonhap that such timing may have been deliberate, commenting that “hackers tend to have a strong desire to show off,” and claiming that the hackers chose the day of the merger to get the most attention for their antics. 

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice