New attack on Upbit: traces lead to the Lazarus group
According to investigators, the attack may be linked to events surrounding the merger of Dunamu and Naver.
28.11.2025 - 10:30
248
3 min
0
Key points:
- Over 44 billion won in cryptocurrency was stolen from Upbit.
- The nature of the attack points to the North Korean Lazarus group, which has previously hacked the exchange.
- The stolen funds were partially converted to USDC and Ethereum using a typical money laundering scheme.
According to industry sources, North Korean hackers may be behind the attack on the Upbit exchange. The current incident is very similar to the 2019 hack, which was linked to the Lazarus group.
The attackers stole cryptocurrency worth more than 44,5 billion won. Earlier, the damage was estimated at 54 billion won. The hackers withdrew at least 24 Solana-based tokens from the exchange’s hot wallet. Upbit suspended all operations and promised to compensate users for their losses.
Upbit suspends withdrawals after $37 million worth of tokens leaked from the Solana network
The company froze some of the funds and promised to compensate users for their losses.
According to preliminary data, the attack scheme resembles Lazarus’ actions in 2019, when 342 000 ETH were stolen. Sources suggest that the attackers may have gained access to administrator accounts or impersonated them.
Lazarus’ methods
The group uses advanced social engineering techniques, including phishing and exploits. Over the years, it has stolen billions of dollars worth of digital assets. According to intelligence agencies, some of these funds are used to finance North Korea’s weapons program.
Dethective analysts found that the stolen assets were converted to USDC and moved to the Ethereum network. This is a typical money laundering scheme characteristic of Lazarus. Hackers also use crypto mixers, which complicates the tracking of transactions and attracts the attention of regulators.
North Korean hackers: the complete dossier, description of methods and chronology of cryptocurrency thefts
Over the past few years, North Korea’s cyber units have carried out large-scale operations to infiltrate various structures and steal digital assets
Some sources suggest that the attack may have been staged. This is linked to the announcement of the merger between Dunamu (Upbit’s parent company) and Naver. The deal paves the way for a potential listing in the US and could be part of an expansion strategy.
Useful material?
Telegram 
Twitter Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Cryptocurrency rates
-
Bitcoin
$58 948
BTC
-2.06%
-
Ethereum
$2 551.16
ETH
+3.56%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.04
XRP
-1.59%
-
TRON
$0.160134
TRX
-1.59%
-
Dogecoin
$0.07224
DOGE
-2.97%
-
Zcash
$371.67
ZEC
-7.38%
-
Stellar XLM
$0.170801
XLM
-2.1%
-
Cardano
$0.14254
ADA
-2%
-
Polkadot
$3.32
DOT
+5.27%