.png){kind=logo}
South Korean authorities investigate a major theft involving roughly ₩44.5 billion in crypto from Upbit. The case gained urgency after early evidence pointed to North Korea’s Lazarus Group. Upbit reported abnormal withdrawals on Thursday and quickly halted deposits and withdrawals. The exchange also moved assets to cold wallets to stop further losses.
Officials confirmed that the first loss estimate reached ₩54 billion before Upbit adjusted the figure downward. Investigators now review Solana-based outflows that left hot wallets in a short time. Analysts note that earlier Lazarus activity from 2019 shows similar attack patterns.
Local media reported that authorities will conduct an on-site inspection. The plan follows growing confidence that Lazarus may have orchestrated the breach. The group has a long record of targeting exchanges across several regions.
The pivotal question emerges: Does the attack signal a renewed phase of coordinated operations by Lazarus?
Investigators examine whether attackers gained access through compromised administrator accounts. Officials believe hackers impersonated or infiltrated internal teams to authorize transfers. This method aligns with known Lazarus strategies used in past incidents.
Upbit’s operator, Dunamu, confirmed that hot wallets handled the abnormal activity. The company immediately shifted funds into cold storage once it detected unusual movements. Dunamu also notified the relevant authorities under local regulations.
A Dunamu spokesperson said the team monitors on-chain activity and freezes suspicious transactions. This process continues as analysts track wallet activity across networks. Blockchain security firms follow numerous exploit addresses and wait for new indicators.
PeckShield stated that it cannot confirm the attacker’s identity at this stage. The firm first shared Upbit’s disclosure but said it lacks evidence about the actor. CertiK reviewed more than 100 Solana-based exploiter addresses and monitored rapid fund movements.
CertiK said that the speed and structure of the withdrawals resemble previous Lazarus events. The firm continues to follow fund flows for links to known laundering networks. Investigators across agencies now monitor multi-chain transfers that may reveal new patterns.
On-chain data shows that the suspected wallet swapped Solana for USDC shortly after the breach. Analysts also recorded the wallet bridging funds to Ethereum. Dethective, a blockchain analysis provider, reports ongoing traces of these movements.
Lazarus often shifts funds across several chains through mixers and bridges. The group also uses custom malware clusters to steal holdings from targeted platforms. Their operations include social engineering campaigns and rapid laundering phases.
The latest incident comes after a major corporate update involving Upbit's operator. Naver Financial confirmed a merger with Dunamu shortly before the hack. The announcement stated that Dunamu will operate as a wholly owned subsidiary.
Naver Financial said the merger aims to build long-term growth in digital asset services. The timing adds complexity as investigators track the breach’s full impact. Agencies now examine whether the merger environment created new system openings.
South Korean police previously linked Lazarus to the 2019 theft of 342,000 ETH from Upbit. That case shaped the investigative model now guiding today’s response. Authorities continue to compare indicators from both events as the new inquiry expands.
Also Read: Upbit Suffers $36M Loss on Solana, Security Breach Review Begins
Authorities continue to examine the ₩44.5 billion Upbit hack as investigators track Solana withdrawals and on-chain fund movement linked to known Lazarus methods. The case now pushes regulators and exchanges to strengthen security controls and maintain real-time monitoring to reduce similar risks across digital asset platforms.
