Korean Authorities Point to Lazarus Group in Upbit’s ₩44.5B Hack

South Korea’s regulators say North Korea’s Lazarus Group is now the prime suspect behind the ₩44.5 billion (~$32–36 million) hack on Upbit, the country’s largest crypto exchange.

Investigators say the on-chain trail looks almost identical to the group’s previous operations, including Upbit’s infamous 2019 breach.

The attack hit on November 27, triggering an immediate freeze on withdrawals and transfers. Upbit confirmed that funds vanished from one of its hot wallets, affecting several assets, SOL, USDC, BONK, JUP, and others. While the exchange says users will be fully compensated from its reserves, the incident marks another damaging blow to trust in local crypto infrastructure.

And the fingerprints are familiar.

A Pattern Authorities Know Too Well

Investigators began tracing the exploited wallet minutes after the hack. What they found matched a blueprint they’ve seen repeatedly over the past five years.

The stolen assets were:

•  Swapped instantly on Jupiter and Raydium
•  Split across more than 200 wallets
•  Bridged through Wormhole
•  Pushed into a laundering cycle resembling mixer-style dispersion

The flow mirrors the techniques Lazarus has used in hacks across the world. Korea’s cybercrime teams pointed to “wallet-hopping patterns and mixing behavior identical to Lazarus operations,” according to local media briefings and early reporting from Crypto Times.

🚨UPDATE: Korean authorities say North Korea’s Lazarus Group is the key suspect in Upbit’s ₩44.5B (~$32M) hack.

Investigators traced wallet-hops and mixing patterns identical to previous Lazarus ops, including Upbit’s 2019 breach.

FSS and KISA have launched an on-site… pic.twitter.com/NhJwskSv1S

— The Crypto Times (@CryptoTimes_io) November 28, 2025

Authorities say this includes the same tactics seen in the 2019 Upbit breach, at that time, $50 million in ETH disappeared using a near-identical playbook. The new attack’s precision, timing, and laundering methods only strengthened the suspicion.

The $36M Breach: What Happened

Upbit classified the event as an external hack minutes after it occurred. Here’s what investigators say unfolded inside the hot wallet:

•  ₩44.5B (~$36M) drained almost instantly
•  Assets swapped across DEXes to obscure origin
•  Funds fragmented into hundreds of small wallets
•  Movement funneled through the Wormhole bridge
•  Subsequent dispersion into mixer paths

Blockchain analysts say the process was coordinated, fast, and automated, classic indicators of a large, experienced team. Upbit froze all transfers immediately after detecting abnormal withdrawals.

The exchange clarified that customer funds remain safe and fully backed. “100% covered using corporate reserves,” the platform announced, attempting to contain market panic.

The Strange Date Coincidence Everyone Noticed

Crypto watchers quickly realized something eerie:

This attack happened on November 27. On the exact same date in 2019, Upbit suffered its previous major breach.

•  Nov 27, 2019 → $50M ETH stolen
•  Nov 27, 2024 → ~$36M hot-wallet drain

Same day. Same holiday period. Same laundering method. Same exchange. Same suspect.

Analysts on X highlighted the coincidence, questioning whether Lazarus intentionally marks significant dates as part of its operational pattern. Some security experts cited past attacks where state-backed groups have used symbolic timing to send signals or “flex” their capabilities during major news cycles.

South Korea’s biggest exchange just got hit hard. Thursday Nov 27, Upbit froze everything after ~$36M vanished from a hot wallet (SOL, USDC, BONK, JUP, etc). Authorities are openly eyeing the infamous Lazarus Group again.

Here’s the breakdown:

The Breach

• $36M stolen from… pic.twitter.com/anHF8XHtG9

— Human & Machine (@HumanMachineAI) November 28, 2025

This year’s attack landed on the same day Upbit’s parent company, Dunamu, announced a major business merger with Naver. Local investigators claim Lazarus “likes striking on important news days,” calling the overlap suspicious rather than accidental.

Why Lazarus Is the Primary Suspect

South Korea’s cyber units say three major indicators point directly to Lazarus:

1. Reused Tactics From Prior Hacks

The 2019 Upbit breach followed nearly identical steps:

•  Admin impersonation
•  Holiday timing
•  Hot-wallet drain disguised as a transfer
•  Immediate DEX and cross-chain moves
•  Multi-layer wallet splitting

This new attack lines up almost line-for-line with that previous playbook.

2. North Korea’s Financial Pressure

With sanctions tightening, the DPRK has leaned more aggressively on crypto hacking as a financial pipeline. Intelligence agencies worldwide estimate Lazarus has generated hundreds of millions for the regime through cyberattacks on exchanges, bridges, and DeFi protocols.

Korean investigators say North Korea’s need for hard currency right now is “extreme,” making the timing of the attack unsurprising.

3. Behavioral Signatures

Forensic analysts pointed to wallet paths, bridge selections, obfuscation techniques, and the particular clustering style Lazarus is known for.

In past attacks, including those on Bybit, WazirX, and numerous token bridges, Lazarus used:

•  rapid swaps to volatile tokens
•  fragmentation into 100–300 small wallets
•  cross-chain exit routes
•  mixer-like dispersion patterns to conceal origin

Every hallmark is here.

Lazarus and the Industry’s Biggest Hacks

If confirmed, the Upbit incident adds to a long list of high-profile targets linked to Lazarus. Over the past few years, the group has been tied to major thefts across the crypto industry:

•  WazirX breach
•  Bybit exploit
•  Multiple bridge hacks, including cross-chain protocols
•  Numerous attacks on centralized exchanges worldwide

State-backed groups like Lazarus have become highly sophisticated players in crypto markets. Their operations involve multi-level automation, high-end exploit development, and laundering networks that run across dozens of chains.

Is Crypto Ready for State-Level Adversaries?

The Upbit case underscores a growing reality:

• Nation-state hackers now treat crypto exchanges like high-speed ATMs.

Upbit emphasized that user funds are safe, but the psychological hit is still severe. Trust in centralized exchanges, already fragile since 2022, takes another blow each time a major platform is compromised.

Cyber experts warn that crypto infrastructure isn’t evolving as quickly as the attackers targeting it. Lazarus, backed by state resources and years of operational experience, continues to move faster than most private security teams.

The Bigger Picture: A Warning for Global Markets

As Korean authorities continue their investigation, the industry faces a difficult question:

If even the largest, most regulated exchange in the country can suffer repeated breaches from the same adversary, what does that say about the state of crypto security?

The Upbit hack highlights three trends reshaping the landscape:

•  State-backed hackers dominate the high-end attack surface
•  Cross-chain bridges are still the weakest link
•  Centralized exchange hot wallets remain prime targets

The Lazarus Group, if confirmed, once again demonstrates a level of coordination and consistency unmatched by typical cybercriminals.

For Upbit, the response is swift. For users, the reassurance is welcome.

But the message behind the attack is louder than ever:

Crypto’s biggest threat isn’t retail panic or market volatility.

It’s state-sponsored entities playing a long-term, high-stakes game.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!