North Korea’s Lazarus Group Suspected In $30M Upbit Hack

North Korea’s notorious Lazarus Group is suspected of stealing about $30.6 million from Upbit, the largest crypto exchange in South Korea. 

That’s according to a Nov. 28 report by Yonhap News Agency that cited anonymous government and industry sources as saying they are increasingly confident the recent incident was orchestrated by the Lazarus Group, which has been linked to some of the biggest hacks in crypto’s history. 

Upbit said it would reimburse customers whose assets were stolen in the incident using its own reserves. Trading activities on the platform are still active but investors are unable to add or remove assets from the platform until the investigation is completed. 

The sources said the authorities are getting ready to perform an on-site inspection of Upbit.

News of the hack came shortly after Naver announced a $10.3 billion acquisition of Upbit’s parent, Dunamu, via an all-stock deal. 

Upbit Says The Amount Stolen Was Less Than Originally Reported

Upbit said on Nov. 27 that it had detected suspicious withdrawals linked to one of its hot wallets and that it quickly reacted by suspending withdrawals and deposits. 

It said it transferred its remaining assets to a cold wallet, which is a wallet that is not connected to the internet. Upbit said it had also initiated on-chain freezing for the stolen assets. 

Tokens that were transferred in the incident (Source: Upbit)

A large portion of the assets were SOL ecosystem tokens, and included Jupiter (JUP), Cat in a Dogs World (MEW), and Wormhole (W). 

Initially, Upbit said that 54 billion won ($36.8 million) was stolen, but later revised the figure to around 44.5 billion won ($30.4 million). 

Attack Methods Used In Upbit Incident Similar To 2019 Theft

The attack methods used in the latest incident were similar to those used in a November 2019 theft of 342k ETH from Upbit, which raised further suspicions that the Lazarus Group was behind it. South Korean police concluded that Lazarus was behind that heist. 

In the latest incident, the hackers didn’t specifically target the exchange’s servers. Instead, authorities believe they likely compromised accounts with administrator privileges or impersonated administrators to authorize the transfers.

Following the incident, hackers appear to have already swapped stolen Solana for USD Coin (USDC) and are in the process of bringing the funds to the Ethereum blockchain, according to blockchain analysts from Dethective. 

The on-chain sleuth said on X that the hackers hold approximately $1.6 million in ETH. 

Lazarus Has Hacked Other Platforms This Year

The Lazarus Group is suspected of orchestrating multiple other attacks this year, including in February a $1.5 billion theft of about 400k ETH tokens from crypto exchange Bybit. 

According to on-chain investigators, the attackers had manipulated a “routine wallet transfer,” and tricked cold-wallet signers into approving what looked like legitimate transactions. Meanwhile, the underlying smart contract logic was altered to divert funds. 

The Bybit attack is widely regarded as the largest crypto exchange theft in the history of digital assets. 

The Lazarus Group is also suspected to have been behind the $11.5 million theft from the Taiwanese exchange BitoPro in May. Third party firms said that the heist matched the modus operandi of the hacker group.