South Korea’s largest cryptocurrency exchange, Upbit, has been hit by a $32 million security breach, and authorities believe the notorious North Korean hacking group Lazarus may be responsible. The attack, which occurred early on November 27, targeted Upbit’s hot wallets—echoing a similar 2019 incident in which the platform lost 58 billion won worth of Ethereum.
According to reporting from Yonhap News, investigators suspect that the Lazarus Group, linked to North Korea’s Reconnaissance General Bureau, carried out the operation. Government officials, alongside experts in the information and communications technology (ICT) sector, have launched an on-site inspection of Upbit’s systems.
A government source told Yonhap that the attackers may have bypassed server defences and instead compromised an administrator account. “Rather than attacking the server, it is possible that the administrator account was hijacked or that the funds were transferred by pretending to be the administrator,” the official said. The tactic closely mirrors the method used in the 2019 theft, reinforcing suspicion that the same threat actors are involved.
The stolen funds consisted mainly of Solana-based tokens, including SOL, USDC, and several smaller assets. Upbit said the unauthorised transfers were detected at around 4:42 a.m. KST, after which deposits and withdrawals were halted. Remaining assets were moved to cold wallets as Upbit began coordinating with law enforcement and blockchain analytics teams.
Cybersecurity researchers believe Lazarus executed a multi-layered attack chain. Analyst blackorbird reported that victims were tricked into downloading a fake installer for the Deriv trading platform. The malware then leveraged Python, .NET, and additional tools to harvest sensitive data such as passwords and wallet credentials. The group allegedly used AnyDesk backdoors and Tor to conceal their activity and maintain long-term access to compromised systems.
Analysts also suspect that the stolen assets may have been laundered through secondary exchange wallets. One expert cited by Yonhap noted that Lazarus often uses mixing-style techniques in jurisdictions outside FATF oversight to obscure transaction trails.
The incident occurred on the same day as a high-profile press event announcing the merger between Naver Financial and Dunamu, Upbit’s parent company. Security experts believe the timing may have been intentional, with one stating that “hackers tend to have a strong desire to show off.” The symbolic nature of the attack aligns with Lazarus’ history of staging operations to maximise visibility and geopolitical impact.
South Korea’s Financial Services Commission is responsible for oversight of crypto exchanges under the Credit Information Act, while the Financial Supervisory Service and Financial Security Service are conducting direct examinations at Upbit.
The breach also comes amid intensified international action against North Korea’s cyber activities. The U.S. Treasury recently sanctioned several Pyongyang-linked entities, including the Korea Mangyongdae Computer Technology Company and Ryujong Credit Bank, for their roles in laundering stolen cryptocurrency to support weapons development.
Speaking with Yonhap News TV, Second Vice Foreign Minister Kim Ji-na emphasised the importance of Seoul–Washington cooperation, noting that stolen cryptocurrency can be diverted to North Korea’s nuclear and missile programs.
The latest Upbit hack underscores persistent vulnerabilities in hot wallet infrastructure and the continued sophistication of state-linked cybercriminal groups. Authorities say stronger operational security and deeper international collaboration are essential to countering threats posed by the Lazarus Group.
