North Korean Lazarus Group Suspected in Major Upbit Security Incident

28-Nov-2025 Coindoo

Key Takeaways:

Upbit lost roughly 45 billion won in crypto after unauthorized transfers traced to external wallets.
Investigators believe attackers abused high-level administrative access, consistent with previous Lazarus-linked breaches.
Dunamu will reimburse all affected users while authorities conduct an on-site probe at the exchange.

The transfers — now calculated at roughly 45 billion won — were traced to external wallets shortly before authorities flagged abnormal administrative activity.

Why investigators immediately traced it to Lazarus

Officials reviewing early telemetry say the pattern of the breach looked familiar before the destination of the funds was even identified. Rather than exploiting backend infrastructure, the attackers appear to have gained high-level account authority, enabling withdrawals without attacking servers directly.
The method mirrors a well-documented 2019 incident in which the same state-linked hacking organization stole 58 billion won in ETH.

Rather than celebrating technical sophistication, analysts called the method “practical, predictable, and consistent with financially motivated cybercrime.”

Political and financial backdrop

The attack lands at a moment when North Korea is widely believed to be relying on cyber-enabled revenue for foreign currency. Intelligence groups tracking the Lazarus group say the operation aligns with an ongoing strategy: steal crypto, move assets between exchanges quickly, and launder through networks engineered to sever transaction trails from original sources.

The exchange’s operator, Dunamu, said affected users will be fully compensated using corporate reserves, guaranteeing no losses for retail account holders.

The timing raises questions, not coincidences

The breach occurred one day after Naver Corp. announced a full share-swap agreement to acquire Dunamu.

Cybersecurity analysts argue that Lazarus has a habit of targeting moments when attention is heightened around a company — not only for financial gain but also to maximize visibility.

Bitcoin Outlook Strengthens with Polymarket Pricing a 50% Chance of a New Surge

Government officials noted that psychological elements often accompany the group’s operations, including a pattern of selecting moments that ensure the cyberattack dominates headlines.

What happens next

The Financial Supervisory Service and local investigative bodies will begin their review directly at Upbit facilities to determine how administrator-level access was obtained and whether internal processes were manipulated.

Until then, investigators are treating the breach as part of a larger campaign rather than an isolated cyber incident.

The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.

The post North Korean Lazarus Group Suspected in Major Upbit Security Incident appeared first on Coindoo.

Also read: Bitmine Immersion Adds $44M in Ethereum as Institutional Demand Surges

About Author Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc fermentum lectus eget interdum varius. Curabitur ut nibh vel velit cursus molestie. Cras sed sagittis erat. Nullam id ante hendrerit, lobortis justo ac, fermentum neque. Mauris egestas maximus tortor. Nunc non neque a quam sollicitudin facilisis. Maecenas posuere turpis arcu, vel tempor ipsum tincidunt ut.