Upbit $36M Hack Linked to North Korea’s Lazarus Group

The security incident unfolded on Thursday when Upbit disclosed irregular withdrawals from its Solana-based hot wallets totaling approximately $36 million across multiple tokens. Blockchain security firm PeckShield first brought attention to the anomalous transactions, triggering immediate action from parent company Dunamu. A Dunamu spokesperson confirmed to Decrypt that “the abnormal withdrawals occurred from hot wallets. The cold wallets were not subjected to any breach or theft,” highlighting the containment of the security compromise to online operational accounts.

Dunamu’s response was swift and comprehensive. The company immediately froze the affected wallets and transferred all remaining assets to cold storage “to prevent any additional withdrawal.” The exchange also implemented on-chain measures to freeze transactions and reported the incident to relevant authorities in accordance with local regulations. Most significantly, Dunamu pledged full reimbursement for all affected customers, a commitment that underscores the exchange’s recognition of its security responsibilities despite the sophisticated nature of the attack.

By Friday, the investigation had taken a dramatic turn as South Korean authorities, citing a Yonhap report, indicated they suspect North Korea’s Lazarus Group was behind the Upbit breach. Investigators are now preparing for an on-site probe at the exchange to gather additional evidence and determine the exact attack vectors used in the compromise. The Lazarus Group, a North Korean state-linked hacking outfit, has long been tied to high-impact crypto thefts targeting exchanges, decentralized finance protocols, and infrastructure providers.

Blockchain analytics firm CertiK, which maintains an analytics dashboard on Upbit through its Skynet program, provided crucial insights into the attack patterns. A CertiK representative told Decrypt that the firm “followed the fund flow of over 100 exploiter addresses on Solana” and observed that “the speed and scale of withdrawals are reminiscent of previous Lazarus-related attacks.” While noting they don’t yet have “definitive evidence on the chain,” CertiK continues to monitor fund movements “to see if they trace to Lazarus-related laundering network,” suggesting the investigation is actively tracking the stolen assets across blockchain networks.

The Upbit incident represents another chapter in Lazarus Group’s extensive history of cryptocurrency theft. In February, blockchain data platform Arkham Intelligence attributed the massive Bybit hack to Lazarus, ranking it as the largest single theft operation with over $1.4 billion in losses. This pattern of targeting major exchanges demonstrates the group’s continued focus on high-value cryptocurrency platforms as primary revenue sources for the North Korean regime.

Over the years, Lazarus has repeatedly evolved its tactics, moving from straightforward exchange intrusions to more sophisticated supply chain attacks and even compromising developer environments. The group has become known for deploying custom malware clusters designed specifically for stealing cryptocurrency, employing sophisticated social engineering lures, and operating massive laundering infrastructure that routes stolen crypto through mixers and bridges across different blockchain networks. This methodological evolution makes the group particularly dangerous and difficult to counter for exchange security teams.

The Upbit breach highlights ongoing vulnerabilities in cryptocurrency exchange security, particularly concerning the management of hot wallets—online accounts necessary for daily operations but inherently more exposed to cyber threats. While Dunamu’s quick containment of the breach to hot wallets and the security of cold storage demonstrates proper security segmentation, the incident underscores the persistent challenge exchanges face in balancing operational efficiency with security requirements.

The suspected involvement of a state-sponsored actor like Lazarus Group raises broader concerns about the geopolitical dimensions of cryptocurrency security. North Korea’s continued use of cryptocurrency theft as a revenue generation method represents a significant threat to the global crypto ecosystem. As blockchain security firms like CertiK and PeckShield enhance their monitoring capabilities, the industry faces increasing pressure to develop more robust security protocols capable of defending against nation-state level threats while maintaining the accessibility and functionality that users expect from major exchanges.