South Korean authorities suspect that the November Upbit hack may have been masterminded by the notorious Lazarus Group.

Unnamed industry sources told local media that the North Korean state-backed hackers may have been behind the breach, as the recent attack bears a strong resemblance to a similar incident that hit the exchange back in 2019.

Over $30M stolen

Bad actors stole over 44.5 billion won worth of cryptocurrencies from Upbit on Thursday. Initial estimates reported an even higher loss at around 54 billion won.

According to the exchange, at least 24 different Solana-based tokens were siphoned off from a hot wallet, prompting the company to suspend all deposits and withdrawals until further notice. Upbit has vowed to reimburse all affected users from its own reserves, while an official post-mortem explaining exactly how the breach occurred is yet to be released.

However, based on initial findings, authorities believe the attack shares striking similarities with the 2019 breach when the Lazarus Group managed to siphon off around 342,000 ETH from Upbit, then worth close to $50 million.

“Instead of attacking the server, it is possible that hackers compromised administrators’ accounts or posed as administrators to make the transfer,” one of the sources speculated.

Based on previous investigations, the Lazarus Group is known to employ complex and highly targeted social engineering tactics to breach security systems, often starting with phishing or developer-targeted exploits.

Over the years, the group has stolen billions of dollars’ worth of digital assets, with many experts and intelligence agencies concluding that these funds help finance North Korea’s weapons program.

Although major jurisdictions have attempted to contain the threat by imposing sanctions and cracking down on known affiliates, Lazarus continues to operate globally and remains a persistent threat to the crypto sector.

On-chain analysis conducted by blockchain intelligence firm Dethective shows that the stolen funds were swapped for USDC and bridged to Ethereum, a laundering path that has frequently been used in past Lazarus operations.

“It is the tactic of Lazarus to transfer crypto to wallets at other exchanges and attempt money laundering,” a security official said, stressing that such obfuscation makes the stolen assets significantly harder to trace.

To further mask their movements, bad actors, including the Lazarus Group, often rely on privacy-enhancing tools such as crypto mixers, which have come under increasing scrutiny by regulators over the past year due to their frequent association with these incidents.

However, one security official cited in the report speculated that the timing of the attack may have been intentional, describing it as a possible act of “self-display” to coincide with Naver Corp.’s announcement.

Upbit’s parent company, Dunamu, and Naver’s merger, which was officially announced just a day before the breach, is expected to close soon. The acquisition paves the way for a potential public listing in the United States, signaling Upbit’s broader expansion plans.

Lazrus Group is behind one of the largest crypto hacks

A number of high-profile security incidents this year, including multiple attacks on crypto exchanges, are believed to have been orchestrated by the state-sponsored hacking group.

One of the biggest attacks masterminded by the group transpired in February this year, with the group managing to get away with roughly $1.5 billion siphoned off the crypto exchange ByBit. Investigations conducted by the FBI attributed the hack to Lazarus Group’s “TraderTraitor” subunit, which has been previously linked to other sophisticated state-sponsored exploits.