North Korea’s notorious Lazarus Group is suspected of stealing about $30.6 million from Upbit, the largest crypto exchange in South Korea. This is according to a November 28 report by Yonhap News Agency, which cited anonymous government and industry sources. These sources indicated a growing confidence that the recent incident was orchestrated by the Lazarus Group, an entity linked to some of the most significant hacks in cryptocurrency history.
Upbit has stated that it will reimburse customers whose assets were stolen in the incident using its own reserves. While trading activities on the platform remain active, investors are currently unable to add or remove assets until the investigation is completed. Authorities are reportedly preparing to conduct an on-site inspection of Upbit.
The news of the hack emerged shortly after Naver announced its acquisition of Upbit's parent company, Dunamu, for $10.3 billion in an all-stock deal.
Upbit Reports Reduced Theft Amount
Upbit announced on November 27 that it had detected suspicious withdrawals linked to one of its hot wallets. The exchange stated that it reacted swiftly by suspending withdrawals and deposits. They also confirmed the transfer of remaining assets to a cold wallet, which is not connected to the internet, and initiated on-chain freezing for the stolen assets.
A significant portion of the stolen assets consisted of SOL ecosystem tokens, including Jupiter (JUP), Cat in a Dogs World (MEW), and Wormhole (W). Initially, Upbit reported that 54 billion won ($36.8 million) was stolen, but later revised this figure to approximately 44.5 billion won ($30.4 million).
Attack Methods Echo 2019 Upbit Theft
The attack methods employed in the recent incident bear similarities to a November 2019 theft of 342k ETH from Upbit, which further fueled suspicions that the Lazarus Group was responsible. South Korean police had previously concluded that Lazarus was behind that heist.
In the latest incident, the hackers did not specifically target the exchange's servers. Authorities believe they likely compromised accounts with administrator privileges or impersonated administrators to authorize the transfers.
Blockchain analysts from Dethective have reported that hackers appear to have already swapped stolen Solana for USD Coin (USDC) and are in the process of transferring the funds to the Ethereum blockchain.
Update:
The Upbit hacker swapped SOL → USDC and is now slowly bridging funds to Ethereum.
Current holdings: ~$1.6M in ETH https://t.co/AnpYOyj4KQpic.twitter.com/T0DrMR7MQa
— dethective (@dethective) November 27, 2025
The on-chain sleuth also stated on X that the hackers currently hold approximately $1.6 million in ETH.
Lazarus Group's Activity in 2025
The Lazarus Group is suspected of orchestrating multiple other attacks this year. These include a February incident involving a $1.5 billion theft of approximately 400k ETH tokens from the crypto exchange Bybit. According to on-chain investigators, the attackers manipulated a "routine wallet transfer" and tricked cold-wallet signers into approving what appeared to be legitimate transactions, while altering the underlying smart contract logic to divert funds.
The Bybit attack is widely considered the largest crypto exchange theft in the history of digital assets.
Furthermore, the Lazarus Group is also suspected of being behind the $11.5 million theft from the Taiwanese exchange BitoPro in May. Third-party firms have indicated that the heist aligns with the hacker group's modus operandi.