N. Korea’s Lazarus Group suspected to be behind $30M Upbit hack

Getting your Trinity Audio player ready...

North Korea state-linked hacking group Lazarus is suspected of being behind the breach on November 27 of approximately KRW 45 billion ($30.6 million) worth of digital assets from South Korea’s largest cryptocurrency exchange, Upbit.

A report on November 28 from South Korean outlet The Korea Times, citing “government and business sources,” authorities plan to conduct an on-site investigation at Upbit, under suspicion that the Lazarus Group was behind the November 27 hack.

Lazarus Group, also known as APT38, is a notorious hacking organization that has been confirmed to receive support from North Korea’s government, a claim backed by several security agencies. It is behind—among other attacks—the record-breaking February 2025 hack of digital asset exchange Bybit, in which the group stole $1.4 billion worth of Ethereum’s ETH token. In 2023, the Federal Bureau of Investigation (FBI) also identified the group as the primary suspect in the infamous Harmony heist, which occurred in June 2022.

North Korea—the Democratic People’s Republic of Korea (DPRK)—has been continuously under some form of sanction since the end of the Korean War in 1953. In recent years, it has increasingly turned to hacking and cyberattacks as a means to generate and launder money, with the digital asset and blockchain space proving particularly lucrative.

In relation to the group’s latest suspected attack, Dunamu, which operates the digital asset exchange Upbit, confirmed on Thursday the transfer of KRW 44.5 billion worth of Solana-affiliated assets to an unauthorized wallet address and stated that it plans to cover the full amount with assets the company owns.

“Following the detection of the abnormal withdrawal, Upbit immediately conducted an emergency security review of the relevant network and wallet systems,” said Oh Kyung-seok, CEO of Dunam. “To prevent any damage to member assets, the entire amount will be covered by Upbit’s holdings. We would like to reiterate that this will not affect member assets.”

The exchange also committed to implementing several new measures to protect members’ assets, including transferring all assets to a secure cold wallet to prevent further abnormal transfers; attempting to freeze relevant digital asset transactions on-chain; and conducting a comprehensive review of the stability and security of its entire digital asset deposit/withdrawal system, “not just the Solana network.”

Watch: Solving cyber crime