Seoul, South Korea – South Korea’s largest cryptocurrency exchange, Upbit, suffered a major security breach on November 27, 2025, with hackers stealing approximately 44.5 billion won (around $30.6 million) worth of Solana-linked digital assets. Authorities and cybersecurity experts strongly suspect North Korea’s state-sponsored Lazarus Group is behind the attack, marking yet another high-profile incident linked to the infamous hacking unit.
Upbit operator Dunamu confirmed on Thursday that it detected an unauthorized transfer of assets from one of its hot wallets to an external address. The exchange immediately suspended Solana deposits and withdrawals, moved remaining funds to cold storage, and promised to fully compensate affected users using its own corporate reserves. Dunamu stated that customers would experience no financial loss as a result of the incident.
The stolen assets primarily consisted of Solana (SOL), various meme coins, and stablecoins such as USDC. Initial estimates placed the loss at over 54 billion won, but the final figure was revised downward to 44.5 billion won after accounting for real-time market prices. Upbit has already worked with project teams and international partners to freeze a portion of the stolen funds, including about 2.3 billion won in Solayer (LAYER) tokens.
South Korean government agencies, including the Ministry of Science and ICT, the Financial Services Commission, and the Korea Internet & Security Agency (KISA), launched an immediate on-site investigation at Upbit’s headquarters in Seoul. Multiple officials told local media that the methods used in the attack closely resemble those employed by the Lazarus Group in previous operations.
Notably, this is not Upbit’s first encounter with North Korean hackers. On November 27, 2019—exactly six years earlier to the day—Upbit lost 58 billion won worth of Ethereum in a breach that South Korean police officially attributed to Lazarus in 2024. Investigators say the latest incident shares striking similarities, including the targeting of hot wallets and the possible compromise of administrative accounts rather than a direct server intrusion.
One government official explained that instead of attacking the exchange’s infrastructure head-on, the hackers likely gained access by compromising administrator credentials or impersonating authorized personnel to approve large transfers. This social engineering approach has become a hallmark of Lazarus operations.
Security experts note that the Lazarus Group frequently moves stolen cryptocurrency through multiple wallets and uses mixing services to launder funds, making recovery nearly impossible. Once assets are scattered across different exchanges and obfuscated, tracing them becomes extremely difficult even with advanced blockchain forensics.
The timing of the attack has raised eyebrows across the industry. The breach occurred less than 24 hours after Naver Corp., South Korea’s dominant internet giant, announced a blockbuster deal to fully acquire Dunamu through a share-swap transaction valued at approximately 15.1 trillion won ($10.3 billion). The merger, set to close in June 2026, will make Upbit a wholly owned subsidiary of Naver Financial and includes plans for a 10 trillion won investment in AI and blockchain technology over the next five years.
Some security officials believe the hackers deliberately chose this moment for maximum impact. “Hackers have a strong tendency toward self-display,” one official told Yonhap News, suggesting the attack was timed to generate global headlines and potentially disrupt confidence just as the historic merger was unveiled.
The Lazarus Group has long been one of the most prolific and dangerous cyber threat actors in the world. U.S. intelligence agencies estimate that North Korea has stolen more than $3 billion in cryptocurrency since 2017 to fund its weapons programs and circumvent international sanctions. In 2024 alone, North Korean hackers were responsible for 61% of all cryptocurrency stolen globally, according to blockchain analysis firm Chainalysis.
Among Lazarus’s most notorious operations are the $625 million Ronin Network hack in 2022, the $1.5 billion theft from Dubai-based exchange Bybit in early 2025 (the largest crypto heist on record), and repeated attacks on South Korean targets including the 2017 Youbit exchange collapse and multiple intrusions into Bithumb and Coinrail.
For North Korea, cryptocurrency theft has become a critical source of foreign currency amid crippling sanctions and economic isolation. The regime reportedly operates sophisticated laundering networks that convert stolen digital assets into usable funds through over-the-counter brokers, fake trading accounts, and complicit exchanges.
In response to the Upbit incident, South Korean regulators are considering tougher requirements under the Virtual Asset User Protection Act, including higher mandatory reserve funds, mandatory third-party audits, and stricter controls over administrator access. The incident has also renewed calls from global law enforcement for better international cooperation to disrupt North Korean cyber operations.
Despite the significant loss, Upbit remains South Korea’s dominant cryptocurrency platform, handling over 80% of the country’s trading volume. The exchange has strengthened its security posture in recent years, achieving ISMS and ISO 27001 certifications, and maintains a user protection reserve well above regulatory minimums.
As the investigation continues, the Upbit hack serves as a stark reminder of the persistent and evolving threat posed by state-sponsored cybercriminals. For the cryptocurrency industry, it reinforces the urgent need for advanced defensive measures—multi-signature wallets, AI-powered anomaly detection, and real-time threat intelligence sharing—to protect against adversaries who operate with near-impunity and virtually unlimited resources.
With Lazarus showing no signs of slowing down, exchanges worldwide are on high alert. The battle to secure digital assets against nation-state attackers has become one of the defining challenges of the cryptocurrency era.
