The Lazarus Group appears to have struck South Korea’s largest cryptocurrency exchange for the second time in six years. Intelligence sources indicate the North Korean state-sponsored syndicate orchestrated the November 27 Upbit hack, draining approximately $36 million in Solana assets on the exact anniversary of their 2019 breach of the same platform.
- Repeat Offender: Forensic analysis links the breach to the Lazarus Group, noting the attack occurred on the exact anniversary of the syndicate's 2019 hack of Upbit.
- Solana Wallets Drained: The attackers exploited a hot wallet vulnerability to siphon $36.8 million in SOL, BONK, and JUP on November 27.
- Crisis Averted: Upbit parent company Dunamu blocked the impact on users by pledging immediate, full reimbursement from corporate funds.
Anatomy of a Repeat Lazarus Group Attack
The attack, which targeted Upbit’s hot wallets, utilized forensic signatures unique to the Pyongyang-linked group. According to a report from Yonhap News Agency, investigators identified sophisticated “mixing” techniques and wallet-hopping patterns designed to obfuscate the trail of funds, tactics that mirror the group’s $50 million theft from Upbit in 2019.
The breach occurred late Wednesday, triggering “abnormal withdrawals” of Solana (SOL), Bonk (BONK), and other ecosystem tokens. Internal audits suggest the attackers exploited a vulnerability allowing them to derive private keys directly from on-chain data, a technical escalation that bypasses standard multi-signature security layers.
Lazarus Group Funding the Regime
The attribution to Lazarus (APT38) elevates this from a criminal theft to a geopolitical incident. The U.S. Treasury identifies the group as an arm of North Korea’s Reconnaissance General Bureau.
The syndicate is tasked with generating revenue for the regime’s nuclear weapons program to offset the crippling impact of international sanctions. By targeting the Solana ecosystem during a period of thin “Black Friday” liquidity, the attackers managed to siphon billions of Korean won before Upbit triggered emergency protocols.
Genuine News Deserves Honest Attention.
High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.
👉 Submit Your PRDunamu Stops the Bleeding From Upbit Breach
While the security failure is alarming, Upbit’s parent company, Dunamu, moved instantly to neutralize the market fallout. The exchange suspended all deposits and withdrawals and migrated remaining assets to air-gapped cold storage.
Upbit’s CEO issued a public apology and confirmed the exchange would absorb 100% of the losses. “We will fully reimburse impacted users to maintain trust,” the company stated. This liquidity backstop prevented a panic sell-off, with Solana prices dipping only 2% before recovering.
The Upbit Breach Investigation
Police are currently tracking the stolen funds, though recovery is historically difficult against Lazarus operatives, who frequently utilize privacy protocols like Railgun and friendly OTC brokers to cash out. The incident serves as a stark reminder that even top-tier centralized exchanges remain high-value targets for nation-state actors.
Chain Street’s Take
The Upbit breach lands like déjà vu. The timing, the techniques, the quiet precision, everything points back to Lazarus, and once again a major Asian exchange is left patching a hole it didn’t see coming.
Upbit’s decision to eat the full loss steadied the market, but it doesn’t change the larger truth: North Korea’s elite hacking arm is evolving faster than centralized exchanges can harden their defenses. This wasn’t just a theft but a calibrated strike that shows how fragile hot-wallet infrastructure still is in the face of a nation-state adversary.
Activate Intelligence Layer
Institutional-grade structural analysis for this article.
