Unraveling Upbit’s $32M Theft Linked to Lazarus Group

The recent security breach at Upbit, South Korea’s leading cryptocurrency exchange, has raised alarms in the digital finance community. The exchange detected irregular withdrawals from its Solana hot wallets, prompting immediate action to protect its users and halt trading activities.

Reports indicate that approximately 44.5 billion Korean won — equivalent to around $32 million — was siphoned off during this incident, which came to light in late November 2025. In response, Upbit suspended all deposits and withdrawals, promising to compensate affected users using its own financial reserves.

Unraveling Upbit’S $32M Theft Linked To Lazarus Group

Concerns Over Potential State Involvement

Investigators are exploring potential connections to the notorious Lazarus Group, a cyber espionage entity linked to North Korea. According to analysts, the methods used in this incident mirror previous attacks attributed to the group, including a significant hack in 2019 that resulted in the loss of 342,000 ETH.

The swift withdrawals, along with the rapid transfer of funds across multiple blockchains, have led authorities to suspect involvement from state-affiliated actors. This pattern closely resembles tactics associated with prior operations linked to North Korea.

Methods of Fund Movement

Investigations have revealed that the stolen funds were swiftly moved off Solana, converted through multiple bridges, and spread across various chains. This intricate maneuvering makes tracing the stolen assets increasingly challenging.

Transactions occurred at a rapid pace and in numerous smaller amounts, thereby complicating recovery efforts on the blockchain. Analysts are meticulously examining transaction records, but the variety of conversions and mixing procedures create additional barriers to straightforward recovery.

Forensic Investigations Underway

Authorities are conducting thorough inspections of Upbit’s systems, including a review of access logs, admin credentials, and wallet backups. Sources familiar with the investigation suggest that there may have been a compromise of administrative credentials rather than a mere software vulnerability.

Forensic teams are focused on identifying how the attackers were able to authorize withdrawal transactions and whether there was any evidence of external control over the accounts.

Impact of the Incident on the Market

The timing of the hack raised eyebrows as it coincided with news regarding a merger between Upbit’s parent company, Dunamu, and tech giant Naver, valued at approximately $10.3 billion. Market analysts speculated that the attack might have been aimed at disrupting investor confidence.

Investors, exchanges, and regulatory bodies are now pushing for enhanced security measures, including better segregation of hot and cold wallets, and improved regulatory standards for large crypto platforms.

Upbit has assured users that all affected parties will be reimbursed, and it pledges to share findings with the public once the investigation allows. While efforts to trace and recover the lost assets are ongoing, the fragmented nature of the stolen tokens complicates the process.

Experts emphasize that if the involvement of Lazarus is confirmed, it would illustrate how state-sponsored hacking continues to target significant players in the cryptocurrency space. Authorities have yet to make an official announcement attributing the attack conclusively. Observers are keenly awaiting updates on recovery attempts and regulatory responses aimed at minimizing future risks.

Image sourced from Advance Innovations, chart courtesy of TradingView

Emily Walker
Emily Walker
Crypto News Editor

Emily brings structure, clarity, and journalistic integrity to Bitrabo’s daily news coverage. With years of experience in tech journalism, she ensures that every headline, update, and developing story is accurate and impactful. From breaking regulatory news to market movements, Emily’s editorial oversight keeps Bitrabo’s news content timely, trusted, and engaging.