North Korea’s Lazarus Linked to $32M Upbit Heist

In recent developments, South Korea’s premier cryptocurrency platform, Upbit, has been engulfed in a significant security scandal, losing approximately 44.5 billion won (about $30–32 million) in cryptocurrencies from its hot wallet. Authorities are tentatively linking the breach to North Korea’s notorious Lazarus Group.

Reports from various ICT industry sources and government insiders, as highlighted by Yonhap News on November 28, indicate that investigators are homing in on Lazarus, a notorious hacking faction connected to North Korea’s Reconnaissance General Bureau. This group was previously implicated in a 2019 breach of Upbit, during which 58 billion won worth of Ethereum was pilfered.

North Korea’S Lazarus Linked To $32M Upbit Heist

Recurring Threat from North Korean Hackers

The recent breach revolves around a hot wallet, which is inherently vulnerable as it is connected to the internet. An official cited by Yonhap remarked that the incident likely stemmed from administrative meddling rather than a sophisticated server breach: “It appears they may have compromised an administrator account to authorize fund transfers,” emphasizing the recurring pattern similar to the earlier incident.

Expert insights suggest that the post-theft transaction patterns provide compelling circumstantial evidence against the Lazarus Group. The stolen assets were swiftly transferred through various exchange wallets and subjected to “mixing,” a procedure designed to obscure the origin of the funds.

One cybersecurity analyst pointed out that “the swift movement of these funds to different exchange wallets before mixing indicates the trademark tactics of the Lazarus Group,” asserting that “post-mixing, transactions are almost impossible to trace.” Given that FATF member nations are bound legally not to offer mixing services, this further implicates North Korea in the incident.

The timing of the breach has raised eyebrows. This event took place on November 27, coinciding with a high-profile joint press conference by Naver and Dunamu, the firm that manages Upbit. They were unveiling ambitious plans for group integration and expansions into AI and Web3 technologies.

Security experts speculate that this date may have been deliberately chosen by the attackers. “Cybercriminals often seek to make a statement. It is quite possible they picked the 27th to underline their defiance, coinciding with the strategic merger announcement,” noted one analyst. Interestingly, the timing also marks six years since the first hacking incident targeting Upbit.

Regulatory bodies have been quick to respond. Following a December ruling by the Financial Services Commission deeming user transaction data of virtual asset exchanges as subject to the Credit Information Act, both the Financial Supervisory Service and the Korea Financial Security Institute are conducting an immediate audit of Upbit. Meanwhile, the Korea Internet & Security Agency has joined forces to offer technical assistance.

At the time of reporting, the total cryptocurrency market capitalization was estimated at $3.07 trillion, underscoring the significance of security in this volatile industry.

Emily Walker
Emily Walker
Crypto News Editor

Emily brings structure, clarity, and journalistic integrity to Bitrabo’s daily news coverage. With years of experience in tech journalism, she ensures that every headline, update, and developing story is accurate and impactful. From breaking regulatory news to market movements, Emily’s editorial oversight keeps Bitrabo’s news content timely, trusted, and engaging.