South Korea Suspects North Korea-Linked Lazarus Behind $36M Upbit Hack

What to know:

• South Korean authorities are considering the Lazarus group, linked to North Korea, as a possible source of Thursday's Upbit hack, according to Yonhap.
• Upbit suspended transactions after detecting unusual activity in Solana tokens, confirming a major breach of its hot wallet.
• The hack coincided with a merger announcement involving Upbit's parent company, Dunamu, and tech giant Naver, fueling speculation about the timing.

South Korean authorities investigating the multi-million-dollar hack at the local exchange Upbit are considering the North Korea-linked Lazarus group as a possible source, according to a Yonhap report.

On Thursday, South Korea's largest digital asset exchange, Upbit, suspended deposits and withdrawals after detecting unusual activity in the Solana network tokens. The exchange subsequently confirmed that it had suffered a hack involving the unauthorized withdrawal of approximately 54 billion Korean won (approximately $36–$37 million) from a hot wallet. This hack marks the exchange's second major hot wallet breach in six years.

South Korean authorities suspect the 2025 Upbit hack involved the hijacking or impersonation of admin credentials, mirroring the tactics of the Lazarus Group in the 2019 breach. Security pundits noted a high probability that North Korea, facing foreign currency shortages, orchestrated the theft, with some highlighting how the stolen funds were laundered using mixing techniques, a method known to be used by Lazarus.

The day of the hack – Nov. 27 – coincided with a major corporate merger announcement involving Upbit's parent company, Dunamu, and Korean tech giant Naver. This has added speculation of Lazarus' involvement in the hack.

"Hackers tend to have a strong desire to show off," a security expert told Yonhap, adding that "it is possible that they chose the 27th as the hacking date because they wanted to show off by choosing the day of the merger."