Lazarus Group may be behind cyberattack on Upbit crypto exchange

South Korean authorities suspect that the hacker group Lazarus, linked to North Korea, is behind the recent cyberattack on the Upbit crypto exchange. According to the Yonhap news agency, law enforcement officials are preparing an on-site inspection of the exchange after about $ 36 million was stolen from the Solana hot wallet SOL $142.94 Binance-Peg SOL 1.06% Market capitalization $0.16 billion VOL. 24 hours $0.4 billion .

The incident occurred on November 27, when Upbit detected «abnormal withdrawals» from a number of accounts. The exchange operator Dunamu immediately froze the affected wallets, transferred the remaining assets to cold storage, and promised to fully compensate users. A company representative confirmed that the cold wallets were not hacked, and all operations are now under control.

Cybersecurity company PeckShield was among the first to report the attack, but it did not comment on the involvement of a specific group. Another firm, CertiK, said it had analyzed more than 100 addresses on the Solana network linked to the hacker and noticed a «characteristic speed and scale» of withdrawals similar to previous Lazarus attacks, although no definitive evidence is available.

The Lazarus group, believed to be linked to the North Korean government, has a long history of large-scale cyberattacks on crypto exchanges, DeFi protocols, and infrastructure services. In February 2025, the Arkham Intelligence analytical platform attributed the hack of the Bybit exchange to this group, which resulted in the theft of more than $ 1.4 billion. Lazarus is known for using sophisticated techniques ranging from phishing attacks and code infections to using networks to launder stolen crypto assets.

After the incident, Upbit reported the theft to the relevant government authorities and launched an internal investigation. So far, the exchange has not officially confirmed that the Lazarus group was involved in the attack, but Seoul considers this scenario to be the most likely and is preparing a full-scale investigation.