Market News

North Korea’s Lazarus Group Suspected in $32M Upbit Hot Wallet Hack 

Upbit loses $32M in suspected Lazarus hack, echoing 2019 theft; authorities investigate hot wallets and admin-targeted attack methods.

Written By Kenrodgers Fabian Kenrodgers Fabian
Fact Checked by Gopal Solanky Gopal Solanky
Make The Crypto Times preferred on Google
North Korea’s Lazarus Group Suspected in $32M Upbit Hot Wallet Hack 

Key Highlights

  • Upbit lost $32M in a suspected Lazarus hack, repeating a 2019 hot wallet theft; authorities inspect systems and track stolen Solana tokens.
  • North Korea-linked Lazarus likely used admin account hijacks, malware, and Tor to steal and launder funds, echoing previous attacks.
  • The hack coincided with Naver Financial-Dunamu merger, raising concerns about high-profile timing and the persistent threat of cyber theft.

South Korea’s largest crypto exchange, Upbit, suffered a $32 million hack on November 27, raising immediate concerns about North Korean cyber involvement. According to Yonhap News, authorities strongly suspect the Lazarus Group, affiliated with North Korea’s Reconnaissance General Bureau, as the culprits. 

The breach targeted Upbit’s hot wallets, which are internet-connected wallets storing cryptocurrencies, echoing a similar 2019 theft of 58 billion won worth of Ethereum. Government officials and the information and communications technology (ICT) industry are conducting an on-site inspection of Upbit.

“Rather than attacking the server, it is possible that the administrator account was hijacked or that the funds were transferred by pretending to be the administrator,” a government source said. The method mirrors the 2019 attack, making experts suspect a sophisticated repeat pattern.

How the attack unfolded

The latest breach affected a batch of Solana-based tokens, including SOL, USDC, and smaller assets. Upbit disclosed that the assets were moved to an unknown external wallet around 4:42 a.m. KST. The exchange immediately halted deposits and withdrawals, transferred remaining funds into cold wallets, and launched a full investigation. 

Security analysts indicate that Lazarus likely used a multi-stage attack chain. Researcher blackorbird explained on X that the hackers tricked users with a fake Deriv trading platform installer. The malware then moved through several programs, including Python and .NET, to steal sensitive information like passwords and wallet details. They also used AnyDesk backdoors and Tor to stay hidden, making it hard to detect while keeping access to the system.

Moreover, after stealing the funds, the attackers probably laundered them through other exchange wallets. An analyst cited by Yonhap noted, “If mixing occurs, the transaction becomes untraceable, and since mixing is impossible in FATF-member countries, it is highly likely that North Korea did this.” This pattern fits Lazarus’ historical approach to cyber theft.

Context and timing

The hack coincided with a press event announcing the merger between Naver Financial and Dunamu, Upbit’s parent company. Experts speculate that the attackers intentionally chose this date to gain attention. “Hackers tend to have a strong desire to show off,” the security specialist further said. The timing strengthens suspicions of North Korean involvement, given their history of symbolic and high-profile attacks.

This attack happened nearly six years after Upbit’s 2019 Ethereum hack, which would now be worth over $1 billion. The similarities between the two incidents have raised alarm in the crypto community, highlighting the risks associated with hot wallets and the common tactic of hackers targeting admin accounts to steal funds.

Regulatory and international response

In South Korea, the Financial Services Commission oversees crypto exchanges under the Credit Information Act. Meanwhile, the Financial Supervisory Service and Financial Security Service are visiting Upbit to check its systems in person.

Internationally, the U.S. Treasury lately sanctioned North Korean entities, including the Korea Mangyongdae Computer Technology Company and Ryujong Credit Bank, for laundering stolen cryptocurrency to fund weapons programs.

Further, in an interview with Yonhap News TV, Second Vice Foreign Minister Kim Ji-na stressed Seoul’s coordination with Washington. She said, “In cases of cryptocurrency theft by Pyongyang, coordination between South Korea and the US is important, as it can be used to fund North Korea’s nuclear and missile programs.”

The Upbit hack shows that hot wallets are still vulnerable and that cyberattacks can have wide-reaching effects. Stronger account protections and international cooperation are needed to address threats from groups like Lazarus.

Also Read: Bybit Launches USDT0 Omnichain USDT on Mantle L2 Network

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article

Latest News

Demo Live
Prediction Market Fight May Reach Supreme Court CFTC Chair Selig
Prediction Market Fight May Reach Supreme Court: CFTC Chair Selig
Anchorage Bets Big on AI Economy With New Banking Model
Anchorage Bets Big on AI Economy With New Banking Model
Tapnob Rolls Out Crypto-to-Naira Payment Platform in Nigeria
Tapnob Rolls Out Crypto-to-Naira Payment Platform in Nigeria
Clarity Act on Fast Track Senator Moreno Sets July 4 Deadline
Clarity Act on Fast Track? Senator Moreno Sets July 4 Deadline

Find Us on Socials

You may also like