North Korea’s notorious Lazarus hacker group is suspected of stealing around 44.5 billion won (approximately 30.4 million dollars) from Upbit – by far South Korea’s largest crypto exchange.
The exchange reported unusual withdrawals of Solana-based crypto assets and immediately halted all deposits and withdrawals. According to the South Korean news agency Yonhap, authorities are preparing an on-site inspection at Upbit, as the attack pattern resembles that of 2019 – when 342,000 ETH (today worth nearly 1 billion USD) were stolen from the exchange. South Korean police already concluded in 2024 that the Lazarus Group was behind that theft. At least 24 Solana-based tokens were drained from a compromised hot wallet. Onchain data shows that a wallet linked to the attack has already begun swapping Solana for USDC and moving funds via bridges to Ethereum.
The best articles of the week, directly delivered into your mailbox.Subscribe to our newsletter
Proven tactic: social engineering instead of technical exploit
The attackers’ suspected method follows a familiar pattern: instead of attacking servers directly, the hackers likely compromised administrator accounts or impersonated administrators to authorize transactions. This social engineering method has proven extremely profitable for the Lazarus Group.
The current Upbit case joins a long series of high-profile crypto thefts. In 2025 alone, North Korean hackers stole more than 2 billion dollars in cryptocurrencies – the highest annual total ever recorded. The bulk of that came from the 1.46 billion dollar theft from the exchange Bybit in February 2025. Additional attacks targeted LND.fi, WOO X and Seedify.
Looking further back reveals the full scale: the Lazarus Group is blamed for thefts totaling between 5 and 6 billion dollars from 2017 to 2025. Among the most spectacular cases are the Ronin Bridge hack in March 2022 involving 625 million dollars, and the 100 million dollar attack on the Harmony Horizon Bridge in June 2022. In both cases, the FBI confirmed the involvement of the North Korean hacker group. Moreover, the perpetrators systematically used the mixer Tornado Cash for money laundering, funnelling more than 555 million dollars from these two hacks through the service.
State financing through cybercrime: North Korea’s business model
What distinguishes these attacks from typical cybercrime is their geopolitical dimension. The North Korean government relies on a broad range of illicit activities, including cybercrime, to generate revenue for its weapons of mass destruction and missile programs. State-linked hackers are explicitly tasked with obtaining foreign currency through illegal means.
The numbers are alarming. Stolen cryptocurrencies could account for up to 13 percent of North Korea’s GDP. Some estimates suggest that more than half of the budget for missile development is financed through cybercrime. A report by the United Nations Multilateral Sanctions Monitoring Team, titled "The DPRK’s Violation and Evasion of UN Sanctions Through Cyber and Information Technology Worker Activities", underscores that North Korea’s malicious cyber activities pose a threat to international security.
In November 2025, the US Treasury Department responded with sanctions against eight individuals and two organizations involved in laundering proceeds from North Korean cybercrime. Meanwhile, the Lazarus Group’s tactics have evolved: while earlier attacks often exploited technical vulnerabilities within crypto infrastructure, most hacks in 2025 have been conducted via social engineering. This shift significantly complicates defense, as humans remain the weakest link in the security chain.
Upbit’s dominance and the question of exchange security
The attack strikes at the most vulnerable point of South Korea’s crypto ecosystem. According to the South Korean financial regulator FSS, Upbit controls 71.6 percent of domestic crypto trading volume – processing 833 trillion won (642 billion dollars) in crypto transactions in the first six months of 2025 alone. Some sources even cite a market share of more than 80 percent. More than 2 billion dollars change hands on the platform every day.
The next largest competitor, Bithumb, reaches only 25.8 percent market share. Smaller exchanges such as Coinone, Korbit and GOPAX together contribute less than 5 percent of market volume. This extreme concentration makes Upbit a highly attractive target for state-backed hackers and raises fundamental questions about the security architecture of centralized exchanges.
Upbit responded immediately: operator Dunamu announced that all affected users would be fully compensated and temporarily halted transactions. But the incident shows how fragile even market-leading platforms can be. Just two days before the hack, South Korean tech giant Naver announced plans to acquire Upbit for 10.3 billion dollars – the largest acquisition in South Korea’s history. The hack will likely delay the transaction and intensify due diligence procedures.
Regulatory powerlessness against state-sponsored attacks
The Upbit case highlights a fundamental dilemma. Even if exchanges comply with strict regulatory requirements, they remain vulnerable to highly professional, state-funded attackers. North Korea’s cyber arsenal has been built over years and possesses resources far beyond those of ordinary criminal actors. Cross-border law enforcement reaches its limits when confronting these state-backed operatives. While Western authorities can impose sanctions and dismantle laundering networks, the regime in Pyongyang itself remains untouchable. The stolen funds flow through complex mixer services and decentralized exchanges before being converted into fiat currencies or used for weapons purchases.
For investors and the industry, this has concrete implications. Holding large crypto balances on centralized exchanges carries a risk that no amount of regulation can fully eliminate. Institutional custody solutions with multi-signature wallets, hardware security modules and geographically distributed cold storage systems are becoming the standard for professional market participants.
Next steps for Upbit
South Korean authorities have announced an on-site inspection at Upbit in the coming days. The focus will be on how the attackers gained access to administrator accounts and whether internal security protocols were violated. If negligence or inadequate security architecture can be proven, Upbit faces significant penalties.
For the planned acquisition by Naver, the hack is a setback. Some analysts expect the transaction to be revalued, with Naver potentially pushing for a lower purchase price. If the acquisition fails entirely, it could fundamentally reshape South Korea’s fintech landscape and give smaller exchanges a chance to regain market share. Internationally, the case is likely to increase pressure on mixer services and privacy coins. The United States and the EU have already announced plans to tighten regulation of money-laundering tools.
The Upbit hack is more than just another entry in the long list of crypto thefts. It shows that state-sponsored cybercrime has become a serious threat to the industry, and that neither regulation nor technology alone can provide a solution. The answer lies in a combination of robust security standards, international law-enforcement cooperation and a fundamental rethinking of digital asset custody.
