Authorities Suspect Lazarus, Tied to North Korea, in $36 Million Upbit Breach

South Korea’s largest cryptocurrency exchange, Upbit, suspended deposits and withdrawals on Thursday after detecting suspicious activity in Solana network tokens. The exchange confirmed that a hot wallet had been hacked, resulting in unauthorized withdrawals of approximately 54 billion Korean won (around $36–$37 million). This is Upbit’s second major hot wallet breach in six years.

According to Yonhap, investigators are looking into the North Korea-linked Lazarus Group as a potential source of the attack. Authorities suspect the breach may have involved hijacked or impersonated admin credentials, similar to tactics used by Lazarus in Upbit’s 2019 hack. Security experts also pointed out that North Korea, facing foreign currency shortages, has previously laundered stolen funds through mixing services, a method consistent with Lazarus operations.

The hack occurred on November 27, coinciding with a high-profile merger announcement between Upbit’s parent company, Dunamu, and Korean tech giant Naver. “Hackers often choose dates to make a statement,” a security expert told Yonhap, noting that the timing may have been intended to attract attention.