Report Claims North Korean Group Orchestrated $30M Crypto Hack in South Korea

• Upbit replaced all stolen user funds while investigators track a Lazarus-style laundering trail.
• South Korea’s FIU targets Korbit, Gopax, Bithumb, and Coinone with penalties after compliance failures.

South Korean authorities say a North Korean state-backed hacking group likely stole about 44.5 billion won, roughly 30 million dollars, from the country’s largest crypto exchange, Upbit. The breach hit a Solana hot wallet on Nov. 27, according to Upbit’s operator Dunamu.

Around 4:42 a.m. local time, the exchange detected abnormal withdrawals of Solana-based tokens and quickly suspended deposits and withdrawals on the network. The stolen assets included SOL, USDC, and a basket of other Solana ecosystem tokens that were sent to an external wallet not controlled by the exchange.

Soon after the incident, Yonhap and other local outlets reported that investigators see “North Korean fingerprints” on the attack. Officials said the operation bears similarities to the 2019 Upbit hack, as featured in our coverage, when 58 billion won worth of Ethereum disappeared in a case later tied to North Korea’s Lazarus Group.

South Korea’s police cyber unit, financial regulators, and intelligence agencies are conducting on-site inspections at Dunamu. They are tracing flows linked to about 44.5 billion won in stolen crypto and reviewing whether compromised or impersonated administrator credentials opened the door, rather than a direct break of Upbit’s core servers.

Upbit Pays Back $30M Losses as Suspected North Korean Trail Appears

Upbit said it has already reimbursed all affected member assets from its own reserves and absorbed a corporate loss of about 5.9 billion won. It also reported freezing a portion of the stolen funds with help from project teams and blockchain analytics firms, while shifting remaining Solana holdings into cold storage.

As the investigation unfolds, blockchain traces show the attacker quickly swapped multiple Solana tokens into wrapped Solana and SOL, then moved the proceeds across roughly 185 wallets before bridging into Ethereum. That pattern, according to analysts, matches earlier Lazarus-linked laundering routes.

South Korea Targets Four More Exchanges After Upbit Case

Meanwhile, South Korea’s Financial Intelligence Unit is now turning to Korbit, Gopax, Bithumb, and Coinone after the Upbit incident. Regulators plan penalties for these four platforms following a 35.2 billion won fine against Dunamu, as previously mentioned in our report, the operator of Upbit, for weak anti–money laundering and customer checks.

Inspectors ran on-site reviews across the exchanges from 2024 into early 2025 and kept finding similar problems. They flagged poor ID verification, slow reports of suspicious activity, and large transfers that slipped past AML controls. As a result, authorities expect further sanctions to land in the first half of next year.