South Korean government officials are actively investigating a sophisticated cyberattack that resulted in the theft of $30 million worth of cryptocurrency from Upbit, the nation’s largest exchange, on Wednesday evening. On Friday, officials told Yonhap News Agency that initial findings strongly suggest the involvement of the North Korean Lazarus hacking group. This attribution is based on the specific methods used to breach the cryptocurrency platform and the tactics deployed to launder the stolen digital funds, which bear the distinct characteristics of previous state-sponsored North Korean cyber operations. Investigators currently believe the hackers successfully impersonated Upbit administrators to initiate the unauthorized transfer of assets.
In response to what it termed an “abnormal withdrawal,” Upbit’s parent company, Dunamu, through its CEO Oh Kyung-seok, confirmed that the platform has immediately suspended all deposits and withdrawals as a precautionary measure. The company further assured its users that all financial losses resulting from the incident will be fully covered by Upbit. The CEO also stated that following the detection of the theft, an emergency security review was conducted on the relevant network and wallet systems, and all remaining assets were swiftly transferred to a secure cold wallet to prevent any further unauthorized transfers.
The timing of the attack is notable, as it occurred just one day after the South Korean internet giant Naver finalized its $10 billion purchase of Dunamu, Upbit’s parent company. Upbit has been proactive in its recovery efforts, tracking some of the stolen funds to another wallet by Thursday and attempting to freeze those assets to block further movement by the thieves. These ongoing efforts are part of a broader collaborative investigation with government officials to contain the damage and apprehend those responsible for the breach.
Investigators are connecting this incident to a similar, major attack in 2019 where approximately $40 million was stolen from Upbit, an operation that was also officially attributed to the Lazarus group. Lazarus is recognized as one of the world’s most prolific state-backed hacking organizations, reportedly operating under the North Korean Reconnaissance General Bureau. Over the past nine years, the group has allegedly stolen billions in cryptocurrency, with blockchain monitoring firm Chainalysis reporting that North Korean government-connected hacking groups collectively stole an estimated $1.3 billion across 47 separate incidents throughout the calendar year of 2024.
The state-sponsored group has a long history of high-profile cyber thefts targeting financial institutions and cryptocurrency platforms globally. For example, the Lazarus group is also accused of stealing $1.5 billion from the Dubai-based crypto platform Bybit in February of this year. The persistent and large-scale nature of these activities has drawn international attention, with the United Nations reporting last year that it is tracking dozens of incidents over a five-year period that have netted the North Korean regime an estimated $3 billion, highlighting the country’s reliance on cybercrime for illicit revenue generation.
Reference:
