South Korean Investigators Eye Lazarus Group After Major Upbit Breach

South Korean authorities are now examining whether North Korea’s Lazarus Group carried out the major security incident that struck Upbit this week. According to a report from Yonhap released Friday, investigators are preparing to conduct an on-site inspection at the country’s largest cryptocurrency exchange. 

The move follows Upbit’s disclosure that irregular withdrawals drained roughly $36 million worth of assets from multiple Solana-based tokens on Thursday, triggering an emergency response from operator Dunamu.

Upbit quickly froze affected wallets, shifted remaining funds offline, and announced that all customer losses would be fully reimbursed. A spokesperson for Dunamu said that “the abnormal withdrawals occurred from hot wallets. The cold wallets were not subjected to any breach or theft,” emphasizing that customer assets had been transferred to cold storage “to prevent any additional withdrawal.” 

The spokesperson added that the exchange was “taking on-chain measures to freeze transactions” and had already filed reports with relevant authorities, as required under local regulations.

Blockchain security firms have been analyzing the incident as well. PeckShield, the security firm that first surfaced Upbit’s disclosure on Thursday, said it had no comment about “the actor behind it” and had not seen “concrete evidence regarding the investigation yet.” CertiK, which maintains an analytics dashboard on Upbit through its Skynet program, said it followed fund flows across more than 100 exploiter addresses on Solana. 

A representative said “the speed and scale of withdrawals are reminiscent of previous Lazarus-related attacks,” though the firm does not yet have “definitive evidence on the chain,” noting it will continue monitoring to see whether movements align with known Lazarus-linked laundering networks.

Investigators are paying close attention because the Lazarus Group has a long and well-established history of large-scale crypto theft. The North Korean state-linked outfit has been tied to attacks on exchanges, DeFi platforms, and infrastructure providers around the world. In February, Arkham Intelligence attributed the Bybit hack, now considered the largest single crypto theft at over $1.4 billion, to Lazarus. 

Over the years, the group has shifted from direct intrusions to supply-chain compromises, developer-environment breaches, custom malware clusters, and detailed social engineering traps.

The early evidence in the Upbit case has raised concerns that this latest incident may follow the same pattern.

A Familiar Attack Method & a Rapidly Expanding List of Victims

Authorities in South Korea believe that the Upbit breach resulted in the theft of approximately 44.5 billion won, about $30.4 million, making it one of the most significant crypto incidents in the country this year. 

Yonhap reported that regulators are preparing a full inspection of Upbit’s systems, noting that the behavior of the attackers resembles the exchange’s 2019 breach, when 342,000 ETH (now worth roughly $1 billion) were drained. In 2024, South Korean police formally concluded that the Lazarus Group was responsible for that earlier theft.

At least 24 Solana-based tokens were siphoned from a compromised hot wallet in the latest attack. On-chain records indicate that a wallet connected to the exploiter has already begun swapping Solana for USDC and bridging funds to Ethereum. 

The suspected method aligns closely with the group’s known techniques: instead of directly exploiting servers, the attackers may have compromised internal administrator accounts or impersonated administrative personnel to approve transactions. This form of social engineering has repeatedly proven effective for Lazarus, allowing it to bypass technical defenses.

The Upbit incident joins a long list of high-impact exploits attributed to North Korea this year. In 2025 alone, crypto theft linked to North Korean actors has exceeded $2 billion, the highest annual total ever recorded. Most of that emerged from the enormous $1.46 billion Bybit incident in February. Other attacks throughout the year targeted LND.fi, WOO X, and Seedify.

Taking a longer view, Lazarus is believed to have stolen between $5 billion and $6 billion in digital assets since 2017. Some of the most notable cases include the $625 million Ronin Bridge attack in March 2022 and the $100 million Harmony Horizon Bridge incident in June 2022. 

The FBI publicly attributed both attacks to the group. Much of the stolen crypto was funneled through Tornado Cash, with more than $555 million traced to laundering operations involving the mixer.

These operations extend far beyond ordinary cybercrime. The North Korean government has openly relied on cyber operations to support revenue streams for its weapons and missile programs. A United Nations report titled “The DPRK’s Violation and Evasion of UN Sanctions Through Cyber and Information Technology Worker Activities” warned that North Korea’s cyber activities pose a global security threat. 

Analysts estimate that stolen cryptocurrency may represent as much as 13 percent of North Korea’s GDP, with cyber operations possibly funding more than half of the country’s missile development budget.

In response to these escalating threats, the U.S. Treasury Department issued sanctions in November 2025 against eight individuals and two organizations tied to laundering proceeds from North Korean hacking operations. Yet as the Lazarus Group shifts increasingly toward social engineering, rather than exploiting technical vulnerabilities, defense becomes more difficult. Even with advanced security tools, human vulnerabilities remain a significant point of failure.

Upbit’s dominant position in South Korea’s crypto market adds even more weight to the incident. The Financial Supervisory Service reported that the exchange controlled 71.6 percent of domestic trading activity in the first half of 2025, processing 833 trillion won (about $642 billion) in transactions. Some estimates place the platform’s market share above 80 percent. With more than $2 billion traded daily, Upbit’s scale makes it a prime target for state-backed hackers.

Just two days before the breach, tech giant Naver announced plans to acquire Upbit for $10.3 billion, the largest acquisition in South Korean history. The hack is now expected to delay due diligence processes and may affect the valuation of the deal.

A Security Flaw, a Swift Response, and a Growing Regulatory Debate

During an emergency review of its systems following the theft, Upbit uncovered a serious vulnerability in its internal wallet software. In a company statement published Friday, CEO Oh Kyung-seok said the exchange found “a security vulnerability in our system that could have allowed someone analyzing publicly visible Upbit wallet transactions on the blockchain to infer private keys.” 

He explained that while blockchain data normally does not expose private keys, Upbit’s signature-generation approach appears to have produced weak or predictable signature components. This flaw could have allowed an attacker to reconstruct private keys mathematically by analyzing on-chain data.

Upbit did not explicitly tie this vulnerability to the breach, and the issue was discovered only after the exchange initiated a systemwide audit. “We identified and addressed the vulnerability during a comprehensive inspection of all related networks and wallet systems,” Oh said. The exchange activated its emergency response plan and temporarily halted deposits and withdrawals until all infrastructure could be verified.

Upbit confirmed that the total losses amounted to approximately 44.5 billion KRW, including 38.6 billion KRW in customer assets. The company stated that it has already frozen about 2.3 billion KRW (roughly $1.5 million) in stolen funds through on-chain tracking. Dunamu said it covered all customer losses using its own reserves and fully reimbursed affected users. “Customer protection remains our highest priority,” the company said in its statement.

The firm is conducting a broader review across its infrastructure, noting in its update that “no security system can ever be considered perfect.” It pledged substantial upgrades to prevent future incidents and said deposits and withdrawals will resume once the exchange completes its final security verifications.

Upbit’s emergency measures included moving all remaining funds into cold storage and deploying a full wallet overhaul. Authorities have opened a formal investigation, while local media continues to cite early intelligence suggesting Lazarus could be a suspect. Upbit and government regulators, however, have not provided a public confirmation.

The incident has also spilled into broader market conversations. Ki Young Ju, CEO of CryptoQuant, commented that “the attack method disclosed by Upbit is almost impossible for an ordinary hacker to execute,” adding that “I doubt any hacker organization other than North Korea’s Lazarus could achieve this” if the technical details are accurate. The remarks amplified ongoing concerns about nation-state-level threats targeting centralized exchanges.

Solana-related markets briefly reacted to the news, including abnormal price movements caused by halted arbitrage flows on Upbit. But market volatility soon stabilized after the exchange corrected earlier estimates of the stolen amounts and froze a portion of the exploited funds.

On a larger scale, the breach has renewed discussions about the future of centralized exchange security. With Upbit processing most of South Korea’s crypto activity, regulators are now questioning whether such market concentration heightens systemic risk. Authorities intend to evaluate how the attackers accessed administrator privileges and whether internal policies were violated.

The timing is especially sensitive given the pending Naver acquisition. Analysts anticipate delays and possibly a renegotiated price. If the deal collapses, it could reshape the country’s fintech industry and open opportunities for smaller exchanges to regain market share. 

Meanwhile, international regulators are expected to push harder for restrictions on crypto mixers and privacy-enhancing tools as they attempt to crack down on cross-border laundering networks connected to state-backed hackers.

Upbit continues to cooperate with law enforcement and blockchain projects to freeze and recover assets. The exchange says it will provide ongoing public updates and resume services only when it is confident that its systems meet reinforced security standards.

The incident adds another chapter to the escalating digital confrontation between North Korea and the global cryptocurrency industry, a struggle underscoring that the threats posed by sophisticated, state-sponsored attackers are rising faster than many platforms can adapt.