Upbit halted services, moved funds to cold storage, and committed to full user compensation from reserves.
South Korean investigators, citing government and industry sources, strongly suspect that North Korea’s state-backed Lazarus Group was responsible for the sophisticated $30.7 million cryptocurrency theft from the Upbit exchange on November 27, 2025, according to a report by Yonhap News. The breach involved unauthorized withdrawals of Solana network tokens from hot wallets, totalling approximately 45 billion won. Upbit quickly suspended deposits and withdrawals, isolated affected assets, and vowed to reimburse users using company reserves to fully shield them.
Authorities have launched an on-site inspection of Upbit’s systems after hackers used wallet-hopping and mixing techniques to cover their tracks, methods previously linked to the Lazarus group. This is the second major breach at Upbit tied to them, following a 2019 Ethereum hack that saw 58 billion won stolen. Blockchain analysts noticed a rapid movement of Solana tokens into Ethereum across 185 wallets, raising further red flags. Lazarus, connected to North Korea’s Reconnaissance General Bureau, has historically stolen over $1.75 billion in crypto to fund regime activities.
The timing heightened concerns, coming one day after Dunamu announced a $10.3 billion merger with tech giant Naver. Regulators now probe potential vulnerabilities exposed by the deal, while industry experts warn of persistent threats from nation-state actors targeting exchanges. Upbit CEO Oh Kyung-seok emphasized customer protection, stating losses would not affect users. This incident underscores ongoing risks in hot wallet management despite enhanced security post-2019.
The Lazarus Group is continually enhancing its capabilities, as evidenced by its involvement in the substantial $1.4 billion Bybit hack in February 2025. Both the U.S. FBI and the South Korean government consider North Korean cyber operations to represent advanced persistent threats.
Consequently, cryptocurrency exchanges globally are under increasing pressure to strengthen their security measures. This need is particularly acute given that decentralized finance (DeFi) platforms are frequently exploited to launder stolen assets due to their less stringent Know Your Customer (KYC) protocols. While Upbit’s swift action in providing reimbursement sets a positive precedent, sustained vigilance is crucial in the face of escalating state-sponsored cyberattacks.
