In brief
- Upbit reported about $36 million drained from its Solana hot wallet on Thursday.
- Local reporting indicates officials link the theft to Lazarus and plan an on-site probe.
- Dunamu, its operator, has frozen wallets, moved funds offline, and pledged full reimbursement for victims as inquiries continue.
South Korean authorities now suspect North Korea’s Lazarus Group was behind the Upbit breach on Thursday, according to a Yonhap report released Friday, with investigators preparing an on-site probe at the exchange.
The development follows Upbit’s disclosure on Thursday that irregular withdrawals on the Solana network drained roughly $36 million across multiple tokens, prompting Upbit to freeze affected wallets, move remaining funds offline, and commit to fully reimbursing customers.
“The abnormal withdrawals occurred from hot wallets. The cold wallets were not subjected to any breach or theft,” a spokesperson from Dunamu, Upbit’s operating company, told Decrypt following the incident, confirming that all assets were transferred to cold wallets “to prevent any additional withdrawal” and that the exchange was “taking on-chain measures to freeze transactions.”
The company has also “reported the occurrence of the abnormal withdrawals to the relevant authorities,” in accordance with local laws, and is “currently investigating the cause and scale of the outflows,” the spokesperson added.
Decrypt has reached out separately to ask Upbit whether it could confirm or believes the suspected group is behind the attack.
A representative from PeckShield, the blockchain security firm that first shared Upbit’s disclosure regarding the anomalous withdrawals on Thursday, told Decrypt that it did not have a comment “regarding the actor behind it,” as well as any “concrete evidence regarding the investigation yet.”
CertiK, another blockchain security firm, maintains an analytics dashboard on Upbit through its Skynet program.
The firm “followed the fund flow of over 100 exploiter addresses on Solana,” and observed that “the speed and scale of withdrawals are reminiscent of previous Lazarus-related attacks,” although it does not have “definitive evidence on the chain yet,” a representative from CertiK told Decrypt, adding that it will continue to monitor the fund movement “to see if they trace to Lazarus-related laundering network.”
The Lazarus Group is a North Korean state-linked hacking outfit long tied to high-impact crypto thefts. The group has been linked to major exploits targeting exchanges, decentralized finance protocols, and infrastructure providers.
In February, blockchain data platform Arkham Intelligence attributed the Bybit hack to Lazarus. The hack ranked as the largest single theft operation, resulting in over $1.4 billion in losses.
Over the years, Lazarus has repeatedly employed a variety of tactics, moving from exchange intrusions to supply chain attacks and even the compromise of developer environments.
The group has also been known to deploy custom malware clusters stealing crypto, social engineering lures, and massive laundering infrastructure, routing stolen crypto through mixers and bridges across different chains.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
