South Korean officials say the notorious Lazarus Group is the prime suspect behind a major security breach at Upbit, the country’s largest cryptocurrency exchange.
Approximately 44.5 billion won ($30 million) in Solana-linked assets were drained from a hot wallet on November 27, 2025, a date that now marks the second time Upbit has been hit using a nearly identical method.
A Coordinated Attack With Familiar Signatures
Government investigators from the Ministry of Science and ICT, alongside financial regulators, reported that early evidence points toward Lazarus due to striking similarities with the 2019 Upbit hack, which occurred on the exact same date. Instead of breaching core servers, officials believe the attackers compromised administrator accounts or impersonated internal staff, allowing them to authorize outbound transfers without triggering immediate alarms.
The stolen funds were tied to Solana-related assets, all routed out of a hot wallet in what investigators describe as a deliberate, highly coordinated strike.
Upbit Moves to Contain Damage
Upbit confirmed the loss and announced that the exchange will reimburse the full amount using company reserves. As a precaution, all deposits and withdrawals have been suspended while internal systems undergo review. The company emphasized that user balances remain intact and that compensation will not affect day-to-day operations.
A Hack Overshadowing a Major Corporate Merger
The timing has raised eyebrows across the industry. The breach occurred just hours after Upbit’s parent company, Dunamu, announced a merger with Naver, one of South Korea’s largest internet conglomerates. Officials note that Lazarus has a history of striking during periods of organizational transition, taking advantage of internal restructuring and heightened system activity.
Six Years, Same Group, Same Date
The 2025 hack lands on the six-year anniversary of the previous Lazarus-linked attack against Upbit, adding another layer of suspicion. Investigators say the repetition of date, method, and target strongly supports the working theory that the same North Korean cybercrime unit is responsible.
The inquiry remains active as authorities analyze wallet movements and internal authorization logs. Upbit, meanwhile, continues to coordinate with regulators and cybersecurity teams to prevent further incidents.
