Upbit, South Korea’s largest cryptocurrency exchange, suffered a major security breach where approximately 44.5 billion South Korean won around $30 million USD in Solana-based tokens was drained from its hot wallet.
The incident occurred at approximately 4:42 a.m. local time, prompting Upbit to immediately suspend all deposits and withdrawals for emergency maintenance.
This marks the second major hack for Upbit in its history, eerily timed on the sixth anniversary of a 2019 breach that stole 342,000 ETH worth about $50 million at the time, now over $1 billion.
Register for Tekedia Mini-MBA edition 19 (Feb 9 – May 2, 2026): big discounts for early bird.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab: From Technical Design to Deployment (next edition begins Jan 24 2026).
Suspected Involvement of North Korea’s Lazarus Group
South Korean authorities, including government and business sources, strongly suspect the Lazarus Group—a notorious state-sponsored hacking collective linked to North Korea’s Reconnaissance General Bureau spy agency—behind the attack.
The breach mirrors tactics used in the 2019 Upbit hack, which was definitively attributed to Lazarus. Exploitation of a hot wallet vulnerability on the Solana network.
On-chain analysis shows the stolen assets were quickly swapped for Wrapped Solana (WSOL) and SOL, then scattered across 185 wallets, bridged to Ethereum, and partially laundered via mixers.
About $1.6 million in LAYER tokens has already been frozen, with ongoing tracing efforts. Blockchain security firms like CertiK have noted the “speed and scale” of the withdrawals as reminiscent of prior Lazarus operations, though they lack definitive on-chain proof yet.
The U.S. FBI has long described Lazarus as one of the world’s most advanced persistent cyber threats, responsible for stealing over $2 billion in crypto in 2025 alone to fund North Korea’s nuclear and weapons programs.
Recent Lazarus-linked incidents include a $1.5 billion Ethereum theft from ByBit in February 2025 and a $44 million breach at India’s CoinDCX in June. South Korean officials are conducting an on-site investigation at Upbit’s facilities, focusing on system inspections and potential ties to North Korean intelligence.
Upbit operator Dunamu has pledged to fully reimburse affected users using its own corporate assets, ensuring no direct losses for customers. They’ve also moved remaining funds offline and frozen traceable wallets.
The hack coincides with Dunamu facing a record 35.2 billion won ($25 million) fine for past compliance failures, including inadequate customer due diligence on 5.3 million accounts and unblocked unauthorized transactions.
This has delayed Virtual Asset Service Provider (VASP) license renewals for Upbit and other Korean exchanges. A three-month partial business suspension is under appeal. The breach hit just hours before Naver, South Korea’s internet giant announced a $10.3 billion all-stock acquisition of Dunamu, raising doubts about the deal’s viability amid heightened scrutiny.
The crypto community on X is buzzing with concern over exchange security and geopolitical risks. Recent posts highlight:Warnings about Lazarus’s persistence: “Lazarus continues to be suspected… everything points to Lazarus” from Vietnamese crypto analyst GFIResearch.
Upbit hit with a $32M hack… North Korea’s Lazarus Group suspected. “Is this just another hack… or a wake-up call for the entire exchange ecosystem?. Multiple threads link the hack to the Dunamu-Naver deal, with one calling it a “K-drama twist”.
This incident underscores ongoing vulnerabilities in crypto infrastructure, especially amid rising state-sponsored attacks. As investigations continue, expect tighter regulations in South Korea and global calls for enhanced wallet security.