South Korean Officials Suspect Lazarus Group Behind Upbit’s $30 Million Hack

The investigation into Upbit’s breach has taken a sharper turn.

South Korean investigators are increasingly focused on North Korea’s Lazarus Group as the likely source of the $30 million theft from Upbit’s hot wallet, according to new reporting from Korea Times and additional security analysis. The investigation is now moving beyond coincidence and into structured state-linked attribution.

Intelligence Sources Lean Toward Lazarus

Government officials told Korea Times that early indicators align with Lazarus tactics, citing familiar asset-drain behavior, routing patterns, and infrastructure overlap with past DPRK cyber campaigns. Intelligence teams are reviewing wallet movements and network signatures that resemble Lazarus’ established playbook.

This suspicion also follows a broader historical pattern.

The 2019 Upbit breach, which resulted in a loss of roughly 58 billion won, remains one of the defining operations in North Korea’s crypto-theft portfolio. Analysts note that this latest attack mirrors both the timing and precision of that earlier incident.

A Playbook That Hasn’t Changed

Security specialists observing the blockchain flow point to hallmarks typical of Lazarus operations, including rapid multi-asset withdrawals across Solana ecosystem tokens and obfuscation techniques designed to complicate recovery efforts. Combined with the November 27 anniversary, investigators see multiple converging signals rather than isolated coincidences.

Merger Timing Now Viewed as a Vulnerability

Investigators are also considering whether the timing of Dunamu’s $10 billion merger with Naver created exploitable blind spots. Large corporate integrations often introduce operational distraction, and Lazarus has a documented history of striking during high-visibility transitions. The merger may have made Upbit temporarily louder and softer at the same time.

Weex Banner

Regulator Response Intensifies

The Financial Supervisory Service is conducting an on-site inspection focused largely on compliance and internal controls, assessing whether Upbit’s operating procedures were followed and whether any lapses contributed to the breach.
In parallel, South Korea’s National Police Agency and the National Intelligence Service are leading the attribution effort, which centers on determining whether Lazarus was responsible and mapping associated on-chain activity.

Upbit maintains that user funds remain fully protected and that company reserves will absorb all losses.

Bottom Line

If Lazarus is confirmed, the incident becomes more than a major exchange hack.

It becomes an extension of North Korea’s ongoing campaign to extract foreign currency through cyber theft, adding geopolitical weight to a breach that already overlapped with one of the largest corporate deals in Korea’s tech sector.

For Upbit, the merger was supposed to signal scale and strength.

Instead, the first test of that new era arrived in the form of state-linked exploitation.