- SUMMITS
- NEWS & MEDIA
- ABOUT US
South Korea is facing another major cybersecurity breach. Authorities suspect North Korea’s Lazarus Group is behind a hack on Upbit, the country’s largest cryptocurrency exchange. According to a Yonhap report, about $30.4 million in cryptocurrencies were stolen through an abnormal withdrawal. The incident is similar to past attacks linked to Lazarus, raising concerns that North Korea continues to use crypto assets to bypass sanctions and fund its regime.
Upbit is South Korea’s largest cryptocurrency exchange, operated by Dunamu Inc. Founded in 2017, it quickly became a central platform for digital asset trading. Its size and activity have also made it a frequent target for hackers. On 27 November 2025, Upbit detected unauthorised transactions involving Solana (SOL) tokens. The exchange halted deposits and withdrawals after finding that around $37 million had been taken from one of its hot wallets. According to a Yonhap report, that the stolen funds were moved across multiple wallets using multichain laundering techniques often linked to Lazarus.
Investigations suggest hackers compromised or impersonated admin credentials, enabling unauthorised transfers from Upbit’s Solana wallet. The hot wallet, connected to the internet for faster transactions, proved vulnerable to attack. Analysts noted similarities with the 2019 Upbit breach, indicating the same group or methods may have been involved.
The 2025 hack involved multichain laundering methods. Stolen SOL tokens were first converted into ETH and other assets, then moved across different blockchain networks to hide their origin. Mixing services and bridges were used to split and disguise the flow of funds, making tracing difficult without international cooperation between exchanges and blockchain analysts.
The Lazarus Group is a North Korean state-backed hacking organisation linked to the Reconnaissance General Bureau, the country’s main intelligence agency. It has carried out cyberattacks on financial institutions, cryptocurrency exchanges, and companies such as Sony Pictures. The US FBI identifies Lazarus as one of the most advanced persistent threats, with operations often driven by political goals and the need to generate funds for North Korea’s nuclear and weapons programmes.
In November 2019, Upbit was hacked, losing 58 billion won ($49 million) in Ethereum. Investigations linked the incident to the Lazarus Group. Both the 2019 and 2025 breaches happened in November, targeted hot wallets, and used complex laundering methods. Officials noted the similarities suggest Lazarus’ involvement.
South Korea’s National Police Agency began investigating the breach, with the National Intelligence Service assessing possible links to North Korea. Officials have not shared many details, but sources indicated the attack shows patterns associated with Lazarus.
Dunamu (Upbit’s Operator) stated that affected users will be reimbursed from the company’s reserves. The exchange has frozen about $8.18 million in LAYER tokens linked to the theft and tightened withdrawal protocols to limit further losses.
With North Korea under sanctions, stolen cryptocurrencies are used to fund military activity and illicit trade. United Nations reports estimate more than $2 billion in crypto assets have been taken in recent years, often laundered through decentralised exchanges and privacy coins to avoid detection.
The FBI, Interpol, and blockchain forensics firms are expected to assist in the investigation. The US has already sanctioned wallets linked to Lazarus, with further restrictions likely as part of efforts against cybercrime.
