North Korea’s Lazarus Suspected In Upbit Breach

South Korea’s largest cryptocurrency exchange, Upbit, is facing a second major security crisis after 44.5 billion won (around $30–32 million) in digital assets were drained from a hot wallet, with authorities “strongly” suspecting North Korea’s Lazarus Group.

According to ICT industry sources and government officials cited by Yonhap News on November 28, investigators are focusing on Lazarus, a hacking unit under North Korea’s Reconnaissance General Bureau, as the likely perpetrator. The group was also suspected in Upbit’s 2019 breach, when approximately 58 billion won in Ethereum was stolen.

North Korean Crypto Hackers Strike Again

The latest incident again centers on a hot wallet — an internet-connected operational wallet — replicating the core vulnerability of 2019. A government official quoted by Yonhap said the attack likely did not involve a deep server exploit but instead an administrative compromise: “Rather than a server attack, it’s possible they compromised an administrator account or impersonated an administrator to transfer funds,” adding that because the earlier hack used this method, “we consider this approach the most likely.”

Security experts point to the post-hack on-chain behavior as key circumstantial evidence. After the theft, the funds were rapidly “hopped” through other exchange wallets and then subjected to “mixing,” a laundering technique designed to break traceability.

One expert noted that “funds were hopped to other exchange wallets before mixing occurred. This can be seen as the modus operandi of the Lazarus Group,” adding that “once mixing occurs, transactions become untraceable.” Because FATF member countries cannot legally operate mixing services, the expert argued it is “highly likely North Korea was responsible.”

The timing has raised additional suspicion. The hack occurred on November 27, the same day Naver and Upbit operator Dunamu held a high-profile joint press conference at Naver’s “1784” headquarters to present their group-integration and AI/Web3 expansion strategy.

A security expert suggested the date may have been intentionally chosen: “Hackers often have a strong desire to show off. It’s possible they chose the 27th as the hacking date to flaunt their timing, selecting the very day of the merger announcement.” The attack also lands almost exactly six years after Upbit’s 2019 hack, which occurred on November 27.

Regulatory and supervisory bodies have moved quickly. Following a December interpretation by the Financial Services Commission that virtual asset exchanges’ user transaction data falls under the Credit Information Act, the Financial Supervisory Service and the Korea Financial Security Institute have launched an on-site inspection of Upbit. The Korea Internet & Security Agency has joined to provide technical support.

At press time, the total crypto market cap stood at $3.07 trillion.

Featured image created with DALL.E, chart from TradingView.com