South Korea’s latest investigation into a ₩44.5 billion (around US$30–32 million) hack at crypto exchange Upbit has zeroed in on Lazarus Group.
Authorities say on‑chain patterns, attack methods, and historical precedents point strongly to the same actors behind Upbit’s 2019 Ethereum breach.
Investigators Trace Familiar Patterns in Upbit Breach
The November 27 attack saw approximately ₩44.5 billion in Solana‑based and other digital assets siphoned from one of Upbit’s hot wallets to an unauthorized external address at around 4:42 a.m. local time, prompting an immediate halt to deposits and withdrawals and an emergency transfer of remaining funds into cold storage. The date coincided exactly with the sixth anniversary of Upbit’s 2019 hack, when 342,000 ETH, worth roughly ₩58 billion at the time, were stolen and later attributed to Lazarus and a related North Korean group known as Andariel.
According to South Korean media citing government and industry sources, security agencies analyzing wallet flows and intrusion vectors now suspect that hackers either compromised an administrator account or successfully impersonated an internal operator—tactics closely mirroring the 2019 incident. Blockchain forensics firms have also identified so‑called “hopping” (rapid transfers across multiple wallets) and mixing activity consistent with previous Lazarus laundering patterns.
Regulators from the Ministry of Science and ICT, the Financial Services Commission, and other supervisory bodies have launched on‑site inspections of Upbit’s systems, focusing on hot‑wallet key management and internal network security. Upbit’s operator, Dunamu, has pledged to fully reimburse customers from its reserves; under Korea’s crypto user protection law, the exchange reported holding ₩67 billion in reserves for hacks or system failures as of September.
Concerns Over North Korean Cyber Operations
Security experts in Seoul have voiced concern not only about the repeated timing of Upbit incidents, but also about systemic vulnerabilities across South Korean exchanges that continue to rely on internet‑connected hot wallets despite previous breaches. The latest hack, arriving just as Dunamu announced a ₩10.3 trillion merger plan with Naver Financial, has further intensified scrutiny of the sector’s cybersecurity standards and incident‑response protocols.
Regulators are now weighing tougher requirements on key management, internal access controls, and real‑time monitoring of large transfers, alongside renewed calls for exchanges to increase liability reserves or insurance coverage against sophisticated state‑linked attacks.
READ MORE: Arbitrum Price Prediction As ARB Holds Its Last Major Support
