thecryptobasic.com
South Korea’s largest crypto exchange, Upbit, is investigating a major breach that resulted in the siphoning of approximately $30.4 million in digital assets.
Early findings, shared with Yonhap News Agency by government and industry sources, suggest the attack may once again be linked to North Korea’s Lazarus Group.
Authorities Probe Possible Lazarus Link
According to the sources, investigators see notable overlaps between the latest intrusion and previous Lazarus operations. These similarities have prompted regulators to arrange an on-site inspection of Upbit. The review aims to identify vulnerabilities and understand how the attackers gained internal access.
The investigation began after Upbit detected abnormal withdrawals in several Solana-based tokens on Thursday. The exchange paused deposits and withdrawals within minutes and initiated a detailed systems check.
Although Upbit initially estimated losses at $38 million, the company later revised the number to approximately $30.4 million after completing its asset review.
Signs Resemble Upbit’s 2019 Breach
Officials say the new incident echoes the tactics seen in Upbit’s 2019 hack, which cost the exchange 342,000 ETH. South Korean police concluded last year that Lazarus was responsible for the earlier theft.
With the latest breach showing comparable patterns, authorities are considering whether the same group has targeted the exchange again.
A government official told Yonhap that the attackers likely gained access to administrative accounts. They may have impersonated staff members or compromised credentials to approve transfers.
This approach points to targeted account manipulation rather than a direct attack on Upbit’s servers, reinforcing comparisons to previous Lazarus operations.
Movement of Stolen Funds Raises Further Flags
On-chain evidence also supports these concerns. Blockchain analysis provider Dethective reported that a wallet linked to the suspected hacker has already begun moving funds. The attacker has swapped Solana for USDC and is shifting assets to Ethereum through cross-chain bridges.
Such activity aligns with laundering patterns commonly observed after major crypto thefts.
Update:
The Upbit hacker swapped SOL → USDC and is now slowly bridging funds to Ethereum.
Current holdings: ~$1.6M in ETH https://t.co/AnpYOyj4KQ pic.twitter.com/T0DrMR7MQa
— dethective (@dethective) November 27, 2025
Notably, the breach unfolded as Upbit’s parent company, Dunamu, entered a significant transition. One day before the hack, Naver Financial confirmed it would acquire Dunamu as a wholly owned subsidiary.
Naver said the move aims to strengthen its digital-asset strategy, adding another layer of scrutiny as Upbit navigates both a structural shift and a large-scale security incident.