Upbit Exchange Hack: North Korea Suspected in $36 Million Crypto Theft

TLDR

• South Korean authorities suspect North Korea’s Lazarus Group orchestrated the Upbit hack that stole approximately $36 million in crypto assets on Thursday
• Upbit suspended all deposits and withdrawals after detecting unusual activity in Solana network tokens from its hot wallet
• The attack methods matched those used in Upbit’s 2019 breach, where Lazarus stole 342,000 ETH worth hundreds of millions
• Hackers likely compromised or impersonated admin accounts rather than directly attacking servers, similar to Lazarus tactics
• The timing coincided with a merger announcement between Upbit’s parent company Dunamu and Korean tech giant Naver

South Korea’s largest crypto exchange Upbit suffered a major security breach on Thursday. The exchange suspended all deposit and withdrawal services after detecting unauthorized transactions involving Solana-based tokens.

Upbit initially reported losses of 54 billion Korean won, approximately $36.8 million. The exchange later revised this figure down to 44.5 billion won, or roughly $30.4 million. The funds were stolen from one of Upbit’s hot wallets, which store crypto assets online for quick access.

South Korean authorities are now investigating the incident. Government and industry sources told Yonhap News Agency that investigators suspect North Korea’s Lazarus Group orchestrated the theft. Officials are preparing an on-site inspection of Upbit’s facilities.

Pattern Matches Previous Attack

The attack methods used in Thursday’s hack closely resemble tactics employed in a 2019 Upbit breach. In that incident, hackers stole 342,000 ETH from the exchange. South Korean police concluded last year that Lazarus was responsible for the 2019 theft.

Security experts believe the hackers compromised administrator credentials rather than directly attacking Upbit’s servers. A government official explained that the attackers likely hijacked admin accounts or impersonated administrators to authorize the fraudulent transfers. This approach matches known Lazarus Group techniques.

Some security analysts noted that North Korea faces ongoing foreign currency shortages. These financial pressures provide motivation for state-sponsored hacking operations. Blockchain analysis shows the stolen funds were laundered using mixing techniques, a method commonly associated with Lazarus.

Suspicious Timing

The hack occurred on November 27, the same day Naver Financial confirmed its merger with Dunamu. Naver Financial announced it would integrate Dunamu as a wholly-owned subsidiary. The company stated the merger would “secure future growth momentum based on digital assets.”

The timing has fueled speculation about whether Lazarus deliberately chose this date. A security expert speaking to Yonhap suggested hackers often seek to demonstrate their capabilities. The expert said they may have selected the merger announcement date to maximize attention.

This marks Upbit’s second major hot wallet breach in six years. The exchange has not disclosed specific details about its security protocols or how the breach occurred.

Blockchain analysis provider Dethective tracked onchain movements of the stolen funds. Data shows a wallet linked to the hacker swapped Solana tokens for USDC stablecoin. The funds are being bridged to the Ethereum network.

Investigation Continues

South Korean authorities continue to gather evidence in the case. They have not formally charged any individuals or groups. The investigation includes analysis of transaction patterns and digital forensics on Upbit’s systems.

Upbit has not announced when it plans to resume normal deposit and withdrawal services. The exchange confirmed it will cover all customer losses from the breach using its own reserves.

The post Upbit Exchange Hack: North Korea Suspected in $36 Million Crypto Theft appeared first on Blockonomi.