South Korean authorities are investigating the possibility that the Lazarus Group, a notorious hacking unit linked to North Korea, is behind the recent multi-million-dollar breach at the local cryptocurrency exchange Upbit, according to a report from Yonhap News.
On Thursday, Upbit, South Korea’s largest digital asset exchange, was forced to suspend deposits and withdrawals after detecting suspicious activity involving Solana network tokens. The exchange later confirmed a significant security breach, reporting the unauthorized withdrawal of approximately 54 billion Korean won (around $36–$37 million) from one of its hot wallets. This marks the second major hot wallet security incident for the exchange in six years.
The investigation is focusing on whether the attackers in the 2025 Upbit hack used methods consistent with Lazarus Group operations, specifically the hijacking or impersonation of admin credentials, a tactic reportedly used in the exchange’s 2019 breach.
Security experts suggest there is a high probability that the theft was orchestrated by North Korea, which is facing severe foreign currency shortages. Further supporting the suspicion, the stolen funds were reportedly laundered using mixing techniques, a method commonly associated with the Lazarus Group.
Adding to the speculation, the hack occurred on November 27, the same day Upbit’s parent company, Dunamu, announced a major corporate merger with South Korean tech giant Naver.
“Hackers tend to have a strong desire to show off,” a security expert told Yonhap. “It is possible that they chose the 27th as the hacking date because they wanted to show off by choosing the day of the merger.”
