Join our Telegram channel to stay up to date with the latest news
North Korea’s notorious Lazarus Group is suspected of stealing around $30.6 million from Upbit, South Korea’s largest crypto exchange.
This is according to a November 28 report by Yonhap News Agency which cited anonymous government and industry sources saying they were increasingly convinced that the recent incident was orchestrated by the Lazarus Group, which has been linked to some of the biggest hacks in crypto history.
Upbit said it would reimburse customers whose assets were stolen in the incident using its own reserves. Trading activities on the platform are still active, but investors cannot add or remove assets from the platform until the investigation is complete.
The sources indicated that authorities are preparing to conduct an on-site inspection of Upbit.
News from The hack came shortly after Naver announced the $10.3 billion acquisition of Upbit’s parent company, Dunamu, via an all-stock transaction.
Upbit claims the amount stolen was less than initially reported
Upflow said on November 27, that it had detected suspicious withdrawals linked to one of its hot wallets and that it had quickly reacted by suspending withdrawals and deposits.
He said he transferred his remaining assets to a cold wallet, that is, a wallet that is not connected to the Internet. Upbit said it has also launched the on-chain freeze of stolen assets.
Tokens transferred during the incident (Source: Upbit)
A large portion of the assets were SOL ecosystem tokens and included Jupiter (JUP), Cat in a Dogs World (MEW), and Wormhole (W).
Initially, Upbit said 54 billion won ($36.8 million) was stolen, but later revised that figure to around 44.5 billion won ($30.4 million).
Attack Methods Used in Upbit Incident Similar to 2019 Theft
The attack methods used in the latest incident were similar to those used in a theft of 342,000 ETH from Upbit in November 2019, raising new suspicions that the Lazarus Group was behind it. South Korean police concluded that Lazarus was behind the robbery.
In the latest incident, the hackers did not specifically target the exchange’s servers. Instead, authorities believe they likely compromised accounts with administrator privileges or impersonated administrators to authorize the transfers.
Following the incident, the hackers appear to have already exchanged the stolen Solana for USD Coin (USDC) and are in the process of bringing the funds to the Ethereum blockchain, according to blockchain analysts at Dethective.
Update:
The Upbit hacker swapped SOL → USDC and is now slowly moving funds to Ethereum.
Current holdings: ~$1.6 million in ETH pic.twitter.com/T0DrMR7MQa
– detective (@dethective) November 27, 2025
The on-chain detective said on X that the hackers held around $1.6 million in ETH.
Lazarus hacked other platforms this year
The Lazarus group is suspected of having orchestrated several other attacks this year, notably in February $1.5 billion theft of approximately 400,000 ETH tokens from crypto exchange Bybit.
According to chain investigators, the attackers had manipulated a “routine wallet transfer” and tricked cold wallet signers into approving what appeared to be legitimate transactions. During this time, the underlying logic of smart contracts was modified to divert funds.
The Bybit attack is widely considered the largest crypto exchange theft in digital asset history.
The Lazarus Group is also suspected of being behind the theft of $11.5 million from the Taiwanese exchange BitoPro in May. Third-party companies said the heist fit the hacker group’s modus operandi.
Related articles:
Best Wallet – Diversify your crypto portfolio
- Easy-to-use, feature-driven crypto wallet
- Get Early Access to Upcoming Token ICOs
- Multi-chain, multi-wallet, non-custodial
- Now on App Store, Google Play
- Stake to win a $BEST native token
- More than 250,000 active users per month
Join our Telegram channel to stay up to date with the latest news
