Upbit’s $32 Million Mystery Theft Points Toward Lazarus Group

Upbit, South Korea’s biggest cryptocurrency exchange, said it found unusual withdrawals from one of its Solana hot wallets and moved quickly to stop trades and protect customers.

According to company statements and law enforcement sources, about 44.5 billion Korean won — roughly $32 million — vanished in the incident that surfaced late November 2025. Upbit paused deposits and withdrawals and said it would repay affected users from its own reserves.

Suspected North Korean Ties

Based on reports from investigators and industry watchers, authorities are examining links to the Lazarus Group, a cyber unit long tied to North Korea.

Security teams point to methods similar to earlier attacks attributed to the same group, including a major breach in 2019 that took 342,000 ETH from the exchange.

Officials say the pattern of rapid withdrawals, quick cross-chain transfers, and spreading funds across many wallets matches tactics used in past nation-linked operations.

How The Funds Were Moved

Reports have disclosed that the stolen tokens were moved off Solana, converted through several bridges, and routed through multiple chains to make tracking harder.

Transfers happened fast and in many small transactions, which complicates tracing attempts on the blockchain. Blockchain analysts are combing transaction histories, but the bridge conversions and mixing steps slow down any straightforward recovery efforts.

Authorities have launched inspections at Upbit’s systems and are reviewing logs, admin access records, and wallet backups.

According to sources close to the probe, investigators suspect an admin credential compromise or impersonation rather than a simple software flaw in Upbit’s servers.

While evidence is still being gathered, forensic teams are looking for the entry point used to sign the withdrawal transactions and any indicators of outside control.

The timing of the theft drew attention because it coincided with corporate news: Upbit’s parent, Dunamu, had public talk of a merger with Naver valued at about $10.3 billion.

Market players noted the coincidence, and some suggested the attack could aim to distract or unsettle stakeholders. For investors, exchanges, and regulators, the incident renews calls for stricter custody controls, better separation of hot and cold wallets, and clearer rules for large crypto platforms.

Upbit has pledged full reimbursement to users hit by the theft and says it will share findings when the probe allows. Based on reports, tracing and recovery work is ongoing but will be slow because of how the assets were fragmented and moved across chains.

Watchers say confirmation of Lazarus involvement would mark another example of how state-linked actors continue to target major crypto firms.

Authorities have not yet publicly released a definitive attribution. The next steps to watch include any formal statements from prosecutors, whether any of the moved funds are frozen or returned, and how regulators will respond to reduce the chance of similar losses.

Featured image from Advance Innovations, chart from TradingView