North Korea's hacking group Lazarus is suspected behind a breach of around 45 billion won in cryptocurrency from South Korea's largest exchange Upbit. Operator Dunamu confirmed the transfer of 44.5 billion won in Solana-affiliated assets to an unauthorized wallet and plans to cover the loss with its own funds. Authorities intend to conduct an on-site investigation believing Lazarus's involvement.
Government and business sources said on Nov. 28 that North Korea's Lazarus hacking group is suspected in the recent breach at Upbit, South Korea's largest cryptocurrency exchange, involving around 45 billion won (US$30.6 million) in stolen assets. Dunamu, Upbit's operator, confirmed on Thursday the unauthorized transfer of 44.5 billion won worth of Solana-affiliated assets to an external wallet and vowed to reimburse users fully from its own reserves.
Authorities plan an on-site probe at the exchange, linking the incident to Lazarus due to similarities with a 2019 hack where the group stole 58 billion won in Ethereum from Upbit. A government official noted, "Instead of attacking the server, it is possible that hackers compromised administrators' accounts or posed as administrators to make the transfer."
The attack occurs as Pyongyang faces a foreign currency shortage, prompting experts to view it as a funding ploy. A security official explained, "It is the tactic of Lazarus to transfer crypto to wallets at other exchanges and attempt money laundering," which complicates tracking. The timing—Thursday, a day after Naver Corp. announced acquiring Dunamu—suggests possible intent. Another security official remarked, "Hackers have a strong tendency toward self-display." Lazarus has a history of such crypto thefts to bypass international sanctions.