South Korean authorities have launched an investigation into a cyberattack on the country's largest crypto exchange, Upbit, in which approximately $36 million in cryptocurrency was irregularly withdrawn from the platform's Solana hot wallet. Investigators suspect North Korea's state-linked Lazarus Group and are preparing an on-site probe at the exchange.
The attack occurred on Thursday, 27 November — just one day after South Korean internet conglomerate Naver announced the acquisition of Upbit's operator, Dunamu Corp., in a $10.27 billion stock swap deal. Upbit froze affected wallets, moved remaining assets to cold storage, and pledged full reimbursement to customers. Blockchain security firm PeckShield first flagged the anomalous withdrawals, while CertiK tracked over 100 exploiter addresses on Solana, noting that the speed and scale of the withdrawals were reminiscent of previous Lazarus-related attacks, though no definitive on-chain evidence has been confirmed. The Lazarus Group previously targeted Upbit in a 2019 heist worth 58 billion won, and was attributed by Arkham Intelligence to the $1.4 billion Bybit hack in February.
The timing is particularly sensitive, as Naver's acquisition may face added scrutiny, while the breach once again underscores the national security dimension of North Korean cybercrime and the vulnerability of crypto exchange infrastructure.
Sources:
