Investigators See Lazarus’ Hand in Upbit’s $30M Exploit

Authorities are preparing an on-site inspection, and investigators noticed strong similarities to Lazarus’ previous exploits, including Upbit’s 2019 hack. The latest breach compromised administrator credentials, and on-chain activity shows the attacker quickly converting stolen Solana assets into USDC before bridging funds to Ethereum. The incident came just one day after Naver Financial announced its acquisition of Upbit’s parent company, Dunamu. Meanwhile, DeFi protocol Balancer is moving forward with a recovery plan after its own $128 million exploit.

Lazarus Suspected in $30M Upbit Hack

North Korea’s Lazarus Group is once again under scrutiny after a major security breach at Upbit, South Korea’s largest cryptocurrency exchange, resulted in roughly 44.5 billion won ($30.4 million) in losses. According to reporting from Yonhap News Agency, authorities are now preparing an on-site inspection of the exchange as investigators are increasingly confident that the state-linked hacking collective is responsible for the attack.

Upbit said that it detected abnormal withdrawals involving certain Solana-based assets on Thursday, which led to the exchange immediately freezing deposits and withdrawals while it launched an internal investigation. The company initially estimated the loss at 54 billion won ($36.8 million) before revising the figure. Although the full scope of the incident is still under review, officials say the methods used are very similar to those that were seen in earlier Lazarus operations, including a major 2019 breach. In that case, hackers stole 342,000 ETH from Upbit, and South Korean police later concluded that Lazarus carried out the theft.

Announcement from Upbit

It seems like the latest attack relied on compromised administrator credentials rather than direct server intrusions, according to government sources. Investigators believe the hackers may have either gained access to admin accounts or successfully impersonated administrative staff to authorize illicit transfers. This pattern aligns with previous Lazarus tactics, which are increasingly focused on social engineering and credential compromise rather than sophisticated system exploitation.

On-chain data adds even more weight to suspicions. Blockchain analysis firm Dethective reported that the wallet connected to Thursday’s theft has already begun moving stolen funds by swapping Solana tokens for USDC and bridging assets to Ethereum. This behavior is consistent with laundering techniques used in other Lazarus-linked heists.

The breach also comes at a huge moment for Upbit’s parent company, Dunamu. Just one day before the hack, Naver Financial announced it will acquire Dunamu as a wholly owned subsidiary as part of a strategic move. While the goal of the merger is to accelerate innovation and growth, the timing of the attack puts a spotlight on security challenges facing South Korea’s crypto sector.

Balancer Plans $8M Payout After Exploit

Meanwhile, Balancer plans to compensate the users affected by the major exploit earlier this month, and proposed a framework to return roughly $8 million in recovered assets to liquidity providers. The reimbursement plan follows one of the largest decentralized finance breaches of the year, in which attackers drained more than $128 million from Balancer’s V2 Composable Stable Pools after exploiting a vulnerability. 

Proposal from Balancer

While around $28 million was ultimately salvaged through a combination of intervention efforts, only $8 million is available for direct distribution, as roughly $19.7 million in osETH and osGNO recovered during the incident is currently managed by StakeWise, the liquid staking protocol.

In its proposal, Balancer explained that compensation will not be socialized across the entire platform. Instead, the rescued funds will go exclusively to liquidity providers in the specific pools impacted by the exploit. Payouts will be made on a pro-rata basis according to Balancer Pool Token balances at the time the attack occurred. LPs will also receive their reimbursements in the same assets that were recovered, as part of a payment-in-kind model rather than converting the funds to a single token.

A major component of the plan involves rewarding white hat hackers who stepped in during the incident. Six white hats collectively recovered approximately $3.86 million, and under the proposal they will receive 10% bounties, with individual payouts capped at $1 million. 

The largest rescue was executed by a white hat identified only as “Anon #1,” who retrieved $2.68 million on Polygon. Security researcher Bitfinding contributed another $963,832 from Ethereum mainnet, with additional recoveries coming from Base and Arbitrum. However, white hats who operated on Arbitrum declined their bounties due to their decision not to undergo identity verification.

To claim rewards, rescuers must complete KYC, identity verification, and sanctions screening in accordance with Balancer’s SEAL Safe Harbor Agreement. For affected users, the proposal includes a 180-day window to claim reimbursed assets. Funds that are unclaimed after that period will enter a dormant state.