In a significant breach of security, South Korean authorities have identified the infamous Lazarus Group as the primary suspect behind a recent hack of Upbit, the nation”s largest cryptocurrency exchange. This incident, occurring on November 27, 2025, resulted in the theft of approximately 44.5 billion won (about $30 million) in assets linked to Solana, marking a troubling recurrence of cyberattacks on the exchange.
The attack is notable not only for its scale but also for its timing, coinciding with a major corporate merger announcement by Upbit”s parent company, Dunamu, and Naver, one of South Korea”s leading internet conglomerates. This has raised eyebrows within the industry, as Lazarus has been known to exploit periods of organizational change.
Preliminary investigations by the Ministry of Science and ICT, along with financial regulators, suggest a methodical approach by the attackers. Unlike the past breach in 2019, which occurred on the same date, this latest incident did not involve core server compromise. Instead, investigators believe that the attackers gained access to administrator accounts or impersonated internal personnel, enabling them to authorize unauthorized transfers without triggering immediate security alerts.
In response to the breach, Upbit has confirmed the losses and assured users that it will fully reimburse the stolen amount using company reserves. To safeguard its operations, the exchange has suspended all deposits and withdrawals while conducting a comprehensive review of its internal systems. The firm has emphasized that user balances remain unaffected and that day-to-day operations will continue without disruption.
The recurrence of this attack on the same date and the similar operational tactics used by Lazarus further solidify suspicions that this North Korean cybercrime unit is behind the incident. As the investigation continues, authorities are closely analyzing wallet movements and internal authorization logs to gather more insights and prevent future breaches. Upbit is actively collaborating with regulators and cybersecurity teams to enhance its defenses against potential threats.
