Upbit $30 Million Hack Update: Investigators Point to North Korean Hacking Group “Lazarus.”

The South Korean administration and the information and communications technology (ICT) industry have conducted an on-site inspection of their largest cryptocurrency agency, Upbit, on November 28. The inspection was conducted considering the possibility that the unauthorized access was the work of Lazarus, a hacking organization operating in North Korea affiliated with their Reconnaissance General Bureau. South Korea’s largest virtual asset exchange, Upbit, suffered a hack worth approximately $36.9 million on November 27, 2025, impacting over 20 different tokens. Upbit experienced a similar breach involving a theft of 58 billion worth of Ethereum stored on Upbit on November 27, 2019, with investigations linking it to the same North Korean hacking organization.

Yonhap, the national news agency of South Korea, reported that Lazarus was strongly identified as the person behind the 44.5 billion won virtual asset hacking incident that occurred at Upbit. According to the news agency, Lazarus has stolen 2.7 trillion worth of digital assets this year alone, including the hacking of Bithopro, a Taiwanese virtual asset exchange. The North Korean hacking group was also involved in the Bybit hacking incident that occurred in February 2025, which reportedly stole 2 trillion won worth of Ethereum.   

The recent Yonhap report confirmed that the hackers used the same methods as the 2019 theft in the latest attack. According to them, the similarity between the two attacks helps assume that Lazarus could be the potential hacker. The timing of the recent Upbit hack was also important; the latest hack occurred exactly six years after the first attack that resulted in the loss of 58 billion worth of Ethereum. A security expert told Yonhap that hackers tended to have a strong desire to show off and speculated that it was possible that they had chosen the 27th as the hacking date because they wanted to show off by choosing the day of the merger. Hwang Seok-jin, a professor at Dongguk University’s Graduate School of International Information Security, commented that, six years ago, an attack believed to have been perpetrated by North Korea’s Lazarus group had resulted in the theft of 58 billion won worth of cryptocurrency from Upbit. He added that the similar timing and other circumstances raised suspicions.

Upbit Vows Full Reimbursement As Experts Trace $30m Hack To North Korea’s Lazarus Group

Upbit quickly initiated the safety measures and moved all its assets to a secure cold wallet to prevent extended exposure to malicious attacks and transactions. Upbit exchange authorities described the event as “abnormal withdrawal activity,” and Oh Kyung-seok, CEO of Dunamu, the parent company of Upbit, apologized for the inconvenience and announced that the entire amount exposed to the theft would be covered by Upbit’s holdings, and the platform will reimburse the users who suffered as soon as the investigation is over. 

An official at Dunamu said that they were currently investigating the cause and scale of the asset outflow. South Korea’s official National Police Agency team investigating cybercrimes has been assigned to this case’s investigation. The agency did not share any details and declined further comments as it is a sensitive and active case.

Yonhap also reported that a security expert commented that after the hacking, the money had been moved to another exchange wallet, and then mixing (money laundering) had occurred, which could be seen as a method used by the Lazarus organization. He stated that if mixing occurred, the transaction became untraceable, and since mixing was impossible in countries that were members of the Financial Action Task Force (FATF), North Korea likely did this.  

According to the recent updates, Upbit has found a critical wallet flaw in the recent hack, but hasn’t confirmed that it caused the recent $30 million hack yet. They believe that the North Korean Lazarus group exploited this private key vulnerability to access tokens like SOL, USDC, and ORCA. Oh Kyung-seok officially confirmed that they had analyzed numerous Upbit wallet transactions publicly disclosed on the blockchain and had discovered a security vulnerability that had allowed them to deduce private keys (a type of password that allows access to blockchain wallet addresses and assets). He stated that they had addressed this vulnerability.  

Also Read: Why is Zcash Down? Can ZEC Rebound in December 2025?