South Korean media report that the recent breach of crypto exchange Upbit may have been carried out by the Lazarus Group, the notorious North Korean state-aligned hacking collective. Investigators claim the attack bears striking resemblance to a major incident in 2019, when attackers siphoned 342,000 ETH from the platform.
On November 26, 2025, Upbit confirmed that its hot wallet had been compromised. The attackers withdrew a mix of crypto assets, including memecoins and USDC. Some of the stolen funds have reportedly been traced and frozen, but the full scope of the incident remains under review.
Upbit initially estimated the loss at ₩54 billion (about $36.8 million), later revising the figure downward to ₩44.5 billion (roughly $30.4 million). The exchange has not yet disclosed technical details about the vulnerability used in the breach.
According to sources referenced by Yonhap News, the intrusion method mirrors the 2019 attack. Back then, South Korean police concluded that Lazarus was responsible.
One government insider told Yonhap that the hackers may not have attacked Upbit’s servers directly. Instead, they might have compromised an administrator account or executed transactions while posing as an authorized employee—a tactic consistent with Lazarus operations in the past.
“We are examining the possibility that this was not a server intrusion but unauthorized use of an administrator’s credentials. This method aligns with what happened six years ago,” the source said.
Following the breach, the Financial Supervisory Service (FSS) and the Korea Internet & Security Agency (KISA) launched formal inspections of Upbit’s systems and procedures. At the time of reporting, Upbit has not issued additional comments on the ongoing investigation.
