cryptonews.net
The largest exchange of cryptocurrencies in South Korea, Upbit, recently faced with newly emerged security issues after discovering that around ₩54 billion or around $36 million involving Solana-related assets. The company led to an immediate freeze of deposits and withdrawals in its digital asset services.
A formal investigation has since been initiated by the investigators in Seoul, with the initial analysis pointing towards methods typically used by the Lazarus Group, one of the most infamous state-related cyber operatives in the world.
The attack is a part of the year that has been characterized by record-breaking rates of crypto theft, and 2025 has become the most harmful year in the history of digital asset crime. As stolen money grows faster than in the last several years, the Upbit breach is another indication of a more hostile place to exchange, users and decentralized platforms.
The hack was after the systems of the Upbit spotted unusual outbound transfers of a number of Solana-linked wallets. The operator of the exchange, Dunamu, affirmed the unauthorized outflow of money, a few moments later and a high security lockdown was instituted.
Upbit insisted that the compensation to the customers would be made by its own reserves and that member assets would not make any contribution to the loss in any way. The exchange also claimed that about ₩12 billion worth of tokens were already frozen as a result of the cooperation with partner institutions, and further attempts were in progress to trace and freeze the rest of the stolen money.
The South Korean government immediately started investigating the attack, the authorities referring to the fact that the attack resembled already 2019 breach by Upbit, which caused the loss of ₩58 billion and was afterwards blamed on Lazarus Group. According to sources cited by Yonhap News Agency, the most recent event had the same signature of the older Lazarus attacks, such as the peculiarities of transaction routing and the structure of withdrawal times.
The cybercrime department of the National Police Agency is already under investigation by forensics, and the intelligence community of South Korea is studying the movement of cross-chains to identify the presence of known Lazarus infrastructure.
The United States and various European agencies have long reported Lazarus as a very sophisticated cyber threat, which is able to discover major financial systems and use blockchain networks by both technical and social engineering methods. The case of Upbit is one more to add to a growing list of cases that state-linked actors are widening their focus to exchanges with high liquidity and large footprint.
November Records Another Expensive month in Crypto Theft
The breach of Upbit was in an already bad month that had already witnessed large losses in the crypto industry. In the November threat report issued by CertiK, the number of confirmed exploits, scams, and wallet breach losses amounted to about $127 million. The original estimate of the damage was over $172 million, the net amount of which was decreased after recoveries and asset freezes.
The most impactful event was the attack of liquidity protocol Balancer that had over $113 million in damages alone. The exploit impacted various Ethereum-associated ecosystems and Layer-2 platforms, disturbing liquidity pools and affecting associated decentralized applications. The BEX platform of Berachain incurred another loss of $12 million, but announced that stolen money could be successfully frozen or retrieved, which added to the overall amount of money (45 million) frozen or recovered throughout the month.
There were also serious vulnerabilities reported by other platforms like Beets and Gana payment which recorded losses of over $3.8 million and $3.1 million respectively. Even though they were smaller than major breaches of the protocols, they highlighted the unresolved holes in operational security and attack surfaces targeting users.
November statistics indicate that decentralized finance platforms bore the greatest proportion of losses, which is contrary to the case in October, when bridge attacks ranked top on the global losses. In the month, DeFi protocols suffered over $134 million in confirmed exploit-related losses, mainly due to the presence of a vulnerability in the form of code in smart contracts. Approximately $33 million was also added to the tally because of wallet compromises, and they were usually caused by stolen credentials or malware.
Phishing cases, although still being reported a lot, experienced a significant decrease. In November, the phishing-related losses were approximately $5.8 million against $28 million in October, but analysts warned that the decline was not any long-term trend. The next-most affected category came through exchanges, with Upbit being the next influencer, and this time around losses totaled nearly $29 million due to operational breaches.
2025 evolved into the most terrible year of crypto crime
Chainalysis analysis of the situation, published in the middle of 2025, shows that over $2.17 billion of cryptocurrency have been stolen in the first half of 2025 alone. This number already exceeds the cumulative amount stolen in the entirety of 2024 and represents a trend that will approach or even surpass $4billion by the end of the year.
The most notable event of the threat landscape in 2025 will be the ByBit hack of $1.5 billion that was caused by North Korea. It is the biggest single crypto theft on record, and is about 70% of all the value stolen by services this year. What was particularly remarkable about the attack is its size and, more importantly, its approach that allegedly included a profound intrusion of IT staff members via advanced social engineering efforts. Other DPRK-affiliated attacks have followed the same infiltration techniques, implying that the state-backed organizations are exploring even more internal human weaknesses, instead of the technical breach-only approach.
Service level attacks or attacks which are judged by the headline loss are predominant but personal wallet compromises have taken an ever-growing portion of total criminal activity. Chainalysis projects that more than 23% of all stolen funds now are in individual wallets in 2025 indicating an increase in targeted malware, credentials gathering, and sophisticated phishing operations.
The total amount of stolen assets that are stored in attacker-controlled personal wallet addresses now is roughly $8.5 billion, compared to $1.28 billion of service-level attacks that are on-chain. The implication of this trend is that oftentimes, attackers prefer to leave stolen money on ice, not necessarily laundering it immediately, perhaps because they have more confidence in their ability to go undetected or they are acting at an opportune moment based on market factors.