TLDR
- South Korean authorities suspect North Korea’s Lazarus Group orchestrated the November 27 Upbit hack that stole $30.4 million in crypto assets.
- Upbit suspended deposits and withdrawals after detecting unauthorized Solana token withdrawals from its hot wallet, marking the exchange’s second major breach in six years.
- The 2025 hack used similar tactics to Lazarus’s 2019 Upbit breach, involving compromised or impersonated admin credentials rather than direct server attacks.
- The hack occurred the same day Upbit’s parent company Dunamu announced a merger with tech giant Naver, leading to speculation about the timing.
- Blockchain data shows the stolen funds were swapped for USDC and bridged to Ethereum using mixing techniques common to Lazarus operations.
South Korean authorities are investigating the Lazarus Group as the likely source behind a $30.4 million hack at Upbit, the country’s largest crypto exchange. The breach occurred on November 27 when the exchange detected unusual withdrawal activity in Solana-based tokens.
🚨BREAKING: North Korea’s Lazarus Group is suspected to the $30M hack on South Korea’s Upbit, local news reported. pic.twitter.com/0lkPFCF6j2
— Coin Bureau (@coinbureau) November 28, 2025
Upbit immediately suspended all deposit and withdrawal services after identifying the unauthorized transactions. The exchange initially reported losses of 54 billion Korean won, or approximately $36.8 million, but later revised this figure down to 44.5 billion won, or $30.4 million.
This marks the second major hot wallet breach for Upbit in six years. The exchange previously suffered a hack in November 2019 when attackers stole 342,000 ETH.
South Korean police concluded last year that Lazarus was responsible for that 2019 theft. The similarities between the two attacks have raised suspicion about the latest breach.
Attack Methods Mirror 2019 Breach
According to government officials cited by Yonhap News Agency, the hackers likely compromised administrator accounts or impersonated administrators to authorize the transfers. This approach mirrors the tactics used in the 2019 attack, rather than directly targeting the exchange’s servers.
South Korean authorities are preparing an on-site inspection of Upbit based on growing confidence that Lazarus orchestrated the theft. Security experts noted that North Korea faces ongoing foreign currency shortages, providing a potential motive for the attack.
Blockchain analysis provider Dethective tracked the stolen funds after the breach. Data shows a wallet tied to the hacker swapped Solana tokens for USDC and began bridging funds to Ethereum.
The attackers used mixing techniques to launder the stolen assets. These methods are known tactics employed by the Lazarus Group in previous crypto thefts.
Timing Raises Questions
The hack occurred on the same day that Naver Financial confirmed a merger with Dunamu, Upbit’s parent company. Naver Financial announced on November 27 that it would integrate Dunamu as its wholly-owned subsidiary.
The company stated the merger aims to secure future growth momentum based on digital assets. The timing of the hack alongside this major corporate announcement has fueled speculation about whether it was deliberate.
A security expert told Yonhap that hackers often seek to show off their capabilities. The expert suggested the attackers may have chosen November 27 specifically to coincide with the merger announcement.
The Lazarus Group has been linked to numerous high-profile crypto thefts over the years. The group operates under North Korea’s direction and has targeted exchanges worldwide to generate revenue for the regime.
Upbit has not provided additional details about the breach or its investigation. The exchange continues to work with authorities to track the stolen funds and prevent further losses.
