Upbit Rocked by $30.4 Million Hack, North Korea’s Lazarus Group Eyed as Prime Suspect

South Korea’s largest cryptocurrency exchange, Upbit, was reportedly targeted in a sophisticated cyberattack yesterday, November 27th, resulting in the theft of approximately 44.5 billion Korean Won (around $30.4 million USD) in digital assets. Local media reports, citing anonymous officials and industry sources, indicate that South Korean authorities are increasingly confident that the notorious North Korean hacking syndicate, Lazarus Group, is behind the audacious breach.

According to Yonhap News Agency, authorities are now preparing to conduct an on-site audit of Upbit to thoroughly investigate the incident. The immediate aftermath saw Upbit swiftly respond by detecting abnormal withdrawals of certain Solana (SOL) ecosystem assets, prompting a complete suspension of all deposit and withdrawal functionalities as a precautionary measure to secure remaining funds and launch an internal investigation.

Initially, Upbit had reported the stolen amount to be higher, at 54 billion Korean Won (approximately $36.8 million USD). However, following a comprehensive re-evaluation of its reserves, the exchange revised the estimated loss down to the current figure of 44.5 billion Korean Won ($30.4 million USD).

This latest attack bears striking similarities to a previous Upbit security incident in 2019, further solidifying the suspicion surrounding the Lazarus Group. South Korean police formally attributed the 2019 theft of 342,000 Ethereum from Upbit to the North Korean state-sponsored hacking collective last year. A government official, speaking to Yonhap News Agency, suggested that the hackers likely did not directly compromise the exchange’s servers but rather gained unauthorized access to administrator accounts or impersonated administrators to authorize the illicit transfer of assets.

Blockchain analytics service provider Dethective has been tracking the movement of the stolen funds. Their data reveals that a wallet suspected of being linked to the perpetrators rapidly converted a portion of the pilfered Solana ecosystem tokens into the stablecoin USDC. These funds were then reportedly transferred to the Ethereum blockchain via a cross-chain bridge, a common tactic used by hackers to obscure their tracks and further decentralize their assets.

Adding a layer of intriguing context, this high-profile cyberattack occurred just one day after South Korean tech giant Naver Financial announced its strategic merger with Dunamu, Upbit’s parent company. Naver Financial disclosed on Wednesday its intention to integrate Dunamu as a wholly-owned subsidiary, a move aimed at “securing future growth momentum in the digital asset sector.” The timing of the hack raises questions about potential motives and vulnerabilities during a period of significant corporate transition.