South Korea suspects hacker group Lazarus in Upbit $30.4 million hack

South Korean authorities suspect the North Korea-linked Lazarus Group was behind a security breach at Upbit that led to unauthorized withdrawals of about $30.4 million. 

Government and industry officials indicate investigators are preparing an on-site inspection at Upbit. The techniques observed resemble a 2019 incident, and investigators assess the attackers likely gained access by compromising administrator accounts or impersonating administrators rather than breaching servers. 

Police have opened a case and are analyzing transaction flows connected to the theft. Blockchain data show a wallet linked to the incident has exchanged Solana for the USDC stablecoin and moved funds to Ethereum via a bridge. Work to attribute specific on-chain addresses to threat actors is ongoing.

A Dunamu official, referring to Upbit’s operator, stated that the company is currently investigating the cause and scale of the asset outflow. Exchange management has not provided a timeline for fully resuming services.

The exchange detected irregular activity in certain Solana-linked assets on 27 November 2025, halted deposits and withdrawals, and launched an internal review. Upbit initially estimated losses at roughly $36.8 million, then revised the figure to about $30.4 million after reconciling transactions.

Cybersecurity specialists noted that Lazarus has shifted tactics between spear phishing, supply chain compromises and exploits of zero day vulnerabilities, laundering proceeds through privacy focused mixers and over the counter brokers.

South Korean police concluded in November 2024 that North Korea-linked groups including Lazarus carried out the November 2019 theft of about 342,000 ether from Upbit. The latest incident came a day after Naver Financial disclosed plans to acquire Dunamu, Upbit’s parent company, as its wholly owned subsidiary.