North Korean Lazarus Group Linked to Major Upbit Crypto Hit
- Upbit lost high-value assets in a single, swift transfer, prompting a new state-linked probe.
- Officials note that the breach mirrors the earlier event tied to the same threat group.
- Analysts say Lazarus uses social entry points that exploit internal access pathways.
South Korean authorities are investigating a major breach at Upbit after 44.5 billion won, about US$30.6 million, in cryptocurrency was moved to an unauthorized wallet during a predawn incident involving multiple tokens. Officials disclosed the breach occurred around 4:42 a.m. and shared that investigators now suspect the Lazarus Group, a North Korean state-aligned hacking unit, due to strong similarities to Upbit’s 2019 theft of 342,000 ETH.
According to sources, authorities plan for an on-site inspection as Dunamu, Upbit’s operator, pledged full compensation using company-owned assets.
Investigators Point to a Repeat Pattern
Authorities said the method used in the attack matches details from the 2019 Upbit case, which involved 58 billion won in stolen assets later tied to Lazarus. Analysts noted the earlier hack included laundering activity across multiple exchanges, which aligned with known North Korean cyberbehavior. Sources cited unnamed officials who said the latest incident carried the “signature” of the previous heist.
Investigators from the National Police Agency confirmed an active case review and noted the involvement of their cybercrime team. Officials declined to provide further details while the assessment continued. The National Intelligence Service did not respond to requests for comment.
Shift Toward Social Engineering Tactics
Security analysts said Lazarus moved away from complex malware and code-level exploits in recent years. Instead, the group targeted human-centered entry points through credential theft, impersonation, and internal access manipulation.
This trend aligns with global cases, including the February 2025 Bybit breach that extracted about US$1.5 billion through phishing methods and manipulated trading applications. Upbit’s scale and liquidity position it as a prime target for state-backed hacking teams seeking rapid access to digital assets in high demand.
Its large internal environment also creates multiple points where attackers may attempt social engineering. Authorities said the 2025 breach may involve an admin-level account takeover, mirroring Lazarus’s growing focus on identity-driven compromises rather than technical vulnerabilities. This possibility strengthened investigators’ belief that the attackers penetrated human and organizational layers rather than system software.
Growing Risk to Crypto Infrastructure
The suspected Lazarus involvement aligns with North Korea’s broader strategy of using cyber theft to acquire digital assets. The suspected Lazarus activity aligns with earlier reports describing North Korea’s cyber units as “advanced persistent threats,” according to statements attributed to the U.S. Federal Bureau of Investigation in previous cases.
Related: Upbit Suffers $36M Solana Hot Wallet Hack in Major Breach
Investigators warned that major exchanges now face heightened pressure to protect high-level credentials, internal wallet controls, and sensitive access pathways. They also stressed the need for more robust identity verification inside operational teams.
Authorities projected increased coordination between regulators and law enforcement as teams rely on wallet tracing, cross-border data sharing, and analytic support to track stolen assets. They also noted that crypto platforms may need stricter monitoring frameworks to counter state-backed actors using social-engineering methods.
This investigation also raises a central question: can exchanges built for open digital finance protect themselves from state-directed operations that rely on identity compromise rather than technical flaws?
