Upbit Hacked: $37M Stolen, North Korea Suspected

Upbit, South Korea’s premier cryptocurrency exchange operated by Dunamu, is facing intense regulatory scrutiny following a sophisticated security breach that resulted in the unauthorized withdrawal of approximately $36.9 million in digital assets. The attack primarily targeted the Solana (SOL) network and impacted over 20 different tokens, marking one of the most significant crypto exchange hacks of the year. The breach was detected through what Upbit described as “abnormal withdrawal” activity, prompting immediate suspension of all deposit and withdrawal services across the platform.

CEO Oh Kyung-seok confirmed that the exchange responded swiftly to the security incident, stating that “we are conducting a comprehensive inspection, prioritizing the protection of member assets” in a notice to users. The timing of the attack is particularly notable, occurring just days before the sixth anniversary of Upbit’s previous major breach in which North Korean hackers stole 342,000 Ethereum (ETH). This pattern suggests either deliberate timing by the attackers or persistent security vulnerabilities that resurface at regular intervals.

Authorities are actively investigating the strong possibility of North Korean involvement in the cyber attack, with multiple reports pointing to the notorious Lazarus Group as the likely perpetrator. This group, affiliated with North Korea’s intelligence agency, has been consistently linked to several high-profile crypto heists in recent years and has developed a reputation as one of the most sophisticated and persistent threats in the cryptocurrency space. The US Federal Bureau of Investigation (FBI) has previously identified North Korean cyber operations as particularly advanced and dangerous.

According to an unnamed government official, this latest hack bears striking similarities to a 2019 incident in which approximately 58 billion won in cryptocurrencies was stolen from Upbit, also attributed to the Lazarus Group. The South Korean National Police Agency has launched a formal investigation into the matter, though officials have refrained from providing detailed comments while the investigation remains ongoing. The repeated targeting of Upbit by the same group suggests either specific geopolitical motivations or the identification of persistent security weaknesses within the exchange’s infrastructure.

In response to the security breach, Upbit has implemented comprehensive emergency measures to protect remaining assets and prevent further unauthorized transfers. The exchange has shifted all remaining platform assets to cold storage, creating what they describe as “a secure environment for funds” while the investigation continues. This move represents a fundamental security practice in cryptocurrency exchanges, isolating the majority of funds from internet-connected systems that could be vulnerable to hacking attempts.

Upbit is actively collaborating with relevant project teams to freeze stolen assets on-chain, having already successfully blocked a portion of the stolen funds related to the cryptocurrency Solayer (LAYER). The exchange has made it clear that normal deposit and withdrawal services will only resume once full security checks are completed and all vulnerabilities have been addressed. Dunamu, Upbit’s operator, has taken the significant step of vowing to reimburse customers for any losses using business funds, demonstrating their commitment to user protection despite the substantial financial impact.

The combination of immediate asset freezing, transfer to cold storage, and commitment to full customer reimbursement represents a comprehensive response strategy aimed at maintaining user trust while addressing the immediate security threat. However, the repeated nature of these breaches raises fundamental questions about the long-term security infrastructure of one of South Korea’s most important cryptocurrency exchanges and the broader vulnerability of digital asset platforms to state-sponsored cyber attacks.