South Korean authorities say the hacking group Lazarus, backed by the North Korean state, is the prime suspect behind the recent $30 million breach of the Upbit crypto exchange. Early investigation findings show strong similarities to a previous Lazarus-led attack on Upbit in 2019.
On Thursday, attackers drained more than 44.5 billion won worth of crypto over $30 million from a compromised Upbit hot wallet. Initial estimates were even higher, reaching up to 54 billion won before the exchange finalized its numbers.
Upbit confirmed that at least 24 Solana-based assets were stolen, prompting the exchange to halt all deposits and withdrawals. The company has promised to reimburse all affected users using its own reserves while it investigates the breach.
Suspicious Echoes of the 2019 Upbit Hack
Authorities say the incident strongly resembles the 2019 Lazarus attack, when the group made off with 342,000 ETH, then worth nearly $50 million. One industry source said hackers may have compromised admin accounts or impersonated administrators, allowing unauthorized transfers without needing to attack core servers.
The Lazarus Group is known globally for its sophisticated social engineering campaigns often targeting developers, administrators, and internal employees to gain elevated access. Over the years, the group has stolen billions of dollars in digital assets, with global intelligence agencies concluding that the funds help support North Korea’s weapons programs.
On-Chain Trail: From Solana to USDC to Ethereum
According to blockchain intelligence firm Dethective, the stolen Solana-based tokens were quickly:
- Converted into USDC,
- Then bridged over to Ethereum.
This laundering route is one Lazarus has used repeatedly in past operations. A South Korean security official noted that Lazarus routinely moves stolen funds through different exchanges and chains to obscure their origin. Privacy tools and crypto mixers are often used to further hide transaction trails a major reason global regulators have tightened scrutiny on such tools.
Timing May Not Be Random
Some officials believe the timing of the attack may have symbolic meaning. The breach occurred just one day after the announcement of a merger between Upbit’s parent company Dunamu and Naver Corp. The deal could pave the way for a potential U.S. listing making the hack potentially an act of “self-display” by Lazarus to demonstrate capability.
A Growing List of High-Profile Attacks
Lazarus Group continues to be linked to several major crypto hacks in 2025. One of the largest was the $1.5 billion attack on the ByBit exchange earlier this year. The FBI has attributed that incident to Lazarus’s TraderTraitor subgroup, which has been involved in multiple state-backed cyber operations.
With billions stolen across exchanges and DeFi platforms, Lazarus remains one of the most persistent and dangerous threats to the global crypto ecosystem.
