South Korea is investigating a potential North Korean connection to the recent Upbit hack for cryptocurrency exchange, which resulted in the unauthorized withdrawal of 44.5 billion won on Nov. 28 in Seoul. Authorities said they are reviewing technical evidence and internal activity records after identifying patterns that suggest a hacking group tied to North Korea may have been responsible for the incident. The withdrawal, which the exchange described as abnormal, prompted immediate scrutiny due to its scale and timing.
Suspected link to Lazarus Group
South Korean investigators are closely examining Upbit’s systems, including security logs and transaction flows. Officials said the methods used in the breach resemble techniques associated with the Lazarus Group, a hacking team linked to North Korea’s intelligence agency. The group has been connected to several cryptocurrency thefts over the past few years, and officials noted that its operations typically involve sophisticated infiltration methods.
A government official said the latest Upbit hack shared notable similarities with a 58 billion won cryptocurrency heist that occurred in 2019. That earlier case was also tied to Lazarus. The official said the structure of the breach, the technical signature left behind, and the manner in which the unauthorized withdrawal was executed aligned closely with patterns documented in previous incidents linked to the group. These parallels strengthened the suspicion that the same network of hackers may have been involved.
Authorities expand inquiry
An official at the National Police Agency’s cyber crimes team confirmed that an investigation of this Upbit hack is under way. The official declined to share additional details, noting that the case is still developing and that premature disclosure could interfere with the ongoing review. The National Intelligence Service did not respond to requests for comment regarding its involvement or assessment of the case.
Authorities said they are working to determine how the hackers accessed Upbit’s internal environment and whether the Upbit hack exploited existing vulnerabilities. The wider inquiry will include an evaluation of system logs, communication traces, and any unusual access attempts that occurred before or after the withdrawal. Officials are also assessing whether further risks remain for cryptocurrency exchanges operating in the country.
An official at Dunamu, the operator of Upbit, said the company is conducting its own analysis. “We are currently investigating the cause and scale of the asset outflow,” the official said. Dunamu has not provided additional information about user compensation or restoration measures, as the investigation continues.
Corporate developments and market impact
The Upbit hack took place only hours before Naver, a major South Korean internet company, announced its acquisition of Dunamu. Upbit is the country’s largest cryptocurrency exchange by market share, and the timing of the Upbit hack drew attention within the industry. Analysts said the incident could prompt regulators to increase scrutiny of cryptocurrency platforms, particularly those handling high transaction volumes.
Authorities said they will continue monitoring cryptocurrency markets for suspicious activity and urged exchanges to strengthen internal controls and security procedures as cyber threats targeting financial platforms remain a persistent concern. The investigation remains ongoing.
Also Read: AI-Enabled Cyberattack Sparks U.S. Security Review
