South Korea’s regulators say North Korea’s Lazarus Group is now the prime suspect behind the ₩44.5 billion (~$32–36 million) hack on Upbit, the country’s largest crypto exchange.
Investigators say the on-chain trail looks almost identical to the group’s previous operations, including Upbit’s infamous 2019 breach.
The attack hit on November 27, triggering an immediate freeze on withdrawals and transfers. Upbit confirmed that funds vanished from one of its hot wallets, affecting several assets, SOL, USDC, BONK, JUP, and others. While the exchange says users will be fully compensated from its reserves, the incident marks another damaging blow to trust in local crypto infrastructure.
And the fingerprints are familiar.
Investigators began tracing the exploited wallet minutes after the hack. What they found matched a blueprint they’ve seen repeatedly over the past five years.
The stolen assets were:
The flow mirrors the techniques Lazarus has used in hacks across the world. Korea’s cybercrime teams pointed to “wallet-hopping patterns and mixing behavior identical to Lazarus operations,” according to local media briefings and early reporting from Crypto Times.
UPDATE: Korean authorities say North Korea’s Lazarus Group is the key suspect in Upbit’s ₩44.5B (~$32M) hack.
Investigators traced wallet-hops and mixing patterns identical to previous Lazarus ops, including Upbit’s 2019 breach.
FSS and KISA have launched an on-site… pic.twitter.com/NhJwskSv1S
— The Crypto Times (@CryptoTimes_io) November 28, 2025
Authorities say this includes the same tactics seen in the 2019 Upbit breach, at that time, $50 million in ETH disappeared using a near-identical playbook. The new attack’s precision, timing, and laundering methods only strengthened the suspicion.
Upbit classified the event as an external hack minutes after it occurred. Here’s what investigators say unfolded inside the hot wallet:
Blockchain analysts say the process was coordinated, fast, and automated, classic indicators of a large, experienced team. Upbit froze all transfers immediately after detecting abnormal withdrawals.
The exchange clarified that customer funds remain safe and fully backed. “100% covered using corporate reserves,” the platform announced, attempting to contain market panic.
Crypto watchers quickly realized something eerie:
This attack happened on November 27. On the exact same date in 2019, Upbit suffered its previous major breach.
Same day. Same holiday period. Same laundering method. Same exchange. Same suspect.
Analysts on X highlighted the coincidence, questioning whether Lazarus intentionally marks significant dates as part of its operational pattern. Some security experts cited past attacks where state-backed groups have used symbolic timing to send signals or “flex” their capabilities during major news cycles.
South Korea’s biggest exchange just got hit hard. Thursday Nov 27, Upbit froze everything after ~$36M vanished from a hot wallet (SOL, USDC, BONK, JUP, etc). Authorities are openly eyeing the infamous Lazarus Group again.
Here’s the breakdown:
The Breach
• $36M stolen from… pic.twitter.com/anHF8XHtG9
— Human & Machine (@HumanMachineAI) November 28, 2025
This year’s attack landed on the same day Upbit’s parent company, Dunamu, announced a major business merger with Naver. Local investigators claim Lazarus “likes striking on important news days,” calling the overlap suspicious rather than accidental.
South Korea’s cyber units say three major indicators point directly to Lazarus:
1. Reused Tactics From Prior Hacks
The 2019 Upbit breach followed nearly identical steps:
This new attack lines up almost line-for-line with that previous playbook.
2. North Korea’s Financial Pressure
With sanctions tightening, the DPRK has leaned more aggressively on crypto hacking as a financial pipeline. Intelligence agencies worldwide estimate Lazarus has generated hundreds of millions for the regime through cyberattacks on exchanges, bridges, and DeFi protocols.
Korean investigators say North Korea’s need for hard currency right now is “extreme,” making the timing of the attack unsurprising.
3. Behavioral Signatures
Forensic analysts pointed to wallet paths, bridge selections, obfuscation techniques, and the particular clustering style Lazarus is known for.
In past attacks, including those on Bybit, WazirX, and numerous token bridges, Lazarus used:
Every hallmark is here.
If confirmed, the Upbit incident adds to a long list of high-profile targets linked to Lazarus. Over the past few years, the group has been tied to major thefts across the crypto industry:
State-backed groups like Lazarus have become highly sophisticated players in crypto markets. Their operations involve multi-level automation, high-end exploit development, and laundering networks that run across dozens of chains.
The Upbit case underscores a growing reality:
Upbit emphasized that user funds are safe, but the psychological hit is still severe. Trust in centralized exchanges, already fragile since 2022, takes another blow each time a major platform is compromised.
Cyber experts warn that crypto infrastructure isn’t evolving as quickly as the attackers targeting it. Lazarus, backed by state resources and years of operational experience, continues to move faster than most private security teams.
As Korean authorities continue their investigation, the industry faces a difficult question:
If even the largest, most regulated exchange in the country can suffer repeated breaches from the same adversary, what does that say about the state of crypto security?
The Upbit hack highlights three trends reshaping the landscape:
The Lazarus Group, if confirmed, once again demonstrates a level of coordination and consistency unmatched by typical cybercriminals.
For Upbit, the response is swift. For users, the reassurance is welcome.
But the message behind the attack is louder than ever:
Crypto’s biggest threat isn’t retail panic or market volatility.
It’s state-sponsored entities playing a long-term, high-stakes game.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
Also read: Upbit Heist: Upbit Uncovers Wallet Bug During $30M Crypto Heist Investigation
