TL;DR
- An attack on Upbit drained $30 million in Solana assets and replicated patterns attributed to North Korea’s Lazarus Group, according to South Korean authorities.
- The exchange confirmed that a set of administrative credentials was compromised and that the attackers executed withdrawals, converted the funds into USDC, and moved them to Ethereum.
- Authorities compare the case to the 2019 hack and say the operation relied on internal impersonation. Upbit continues its analysis and is cooperating with investigators.
Upbit is investigating an attack that drained $30 million in Solana assets and that reproduces patterns attributed to North Korea’s Lazarus Group.
The company confirmed that a set of administrative credentials was compromised and that the attackers executed anomalous withdrawals before converting the stolen tokens into USDC and moving them to Ethereum through a bridge. The incident took place one day after Naver Financial announced the full acquisition of Dunamu, the exchange’s parent company, which triggered a broader discussion about the operational security of South Korea’s largest crypto marketplace.
Was Upbit Targeted by Lazarus Again?
Authorities are preparing an on-site inspection and say the mechanics of the attack match those used in 2019, when Upbit lost 342,000 ETH in an incident that police attributed to Lazarus after months of analysis. In both cases, investigators see a systematic use of social engineering to access internal privileges, authorize transactions, and hide movements across multiple chains through fast swaps and bridges. The government’s working theory points to an operation based on impersonating administrators or taking control of internal accounts, rather than a direct intrusion into the server infrastructure.
Dunamu Will Cover All Losses
Dunamu said it will cover the entire 44.5 billion won stolen and will keep the review process open to determine the exact route of the attack. The company froze deposits and withdrawals during the initial containment phase and later reduced the size of the loss after an early, higher estimate. On-chain data shows that the attackers immediately liquidated the Solana assets, a pattern aligned with laundering practices attributed to Lazarus. Local analysts note that North Korea has intensified these operations amid severe foreign currency shortages and the need to fund state activities.
The timing of the attack fuels additional interpretations. Some specialists believe the hackers chose to strike after the announcement of the Naver Financial–Dunamu deal to maximize public attention and complicate the exchange’s initial response. Others argue that the group tends to signal its presence through operations that combine speed, volume, and recognizable on-chain signatures. Authorities believe the timing was not accidental and that it reinforces that form of implicit messaging.
Upbit continues working on its internal analysis and is collaborating with security agencies to map the movements that followed the drain
