South Korea's largest cryptocurrency exchange, Upbit, suffered a massive hacking attack, resulting in losses of up to 44.5 billion won (approximately S$39 million). Preliminary investigations suggest the attack was likely carried out by Lazarus, a hacking group linked to North Korea's Reconnaissance General Bureau.
Upbit's parent company, Dunamu, stated that around 4:42 AM on Thursday (November 27), they discovered approximately 44.5 billion won worth of Solana-related virtual assets had been transferred to an unspecified internal wallet address. Upon confirming the unusual withdrawal, the company immediately froze the relevant wallets and prioritized protecting user assets.
South Korea's Ministry of Information and Communications Technology and the government revealed on Friday that financial regulators and the Korea Internet & Security Agency have dispatched an investigation team to conduct an emergency on-site inspection of Upbit.
Notably, on the same day six years ago, November 27, 2019, Upbit's hot wallet was also embroiled in a cryptocurrency theft, with South Korean intelligence at the time also pointing the finger at Lazarus.
A South Korean government security official pointed out, "Rather than a server intrusion, it's more accurate to say that hackers gained or forged administrator privileges to transfer funds. The indications are highly similar to the attack pattern seen in 2019."
Further Reading
The timing of this incident has also raised serious concerns within the industry. Just one day before the attack, Dunamu announced a merger agreement with South Korean payment platform Naver Financial, releasing the news publicly on Thursday morning. Experts believe the hackers may have deliberately chosen to disrupt the market during a major business event to trigger greater social and market panic.
Hwang Seok-jin, a professor at the Graduate School of International Intelligence and Security at Dongguk University, pointed out: “Upbit’s security system is already at the highest level in South Korea. If it was still breached, it can only mean that the attackers possess extremely strong capabilities. The fact that an attack occurred on the same day six years ago, and in the same manner, is difficult to dismiss as a coincidence.”
He emphasized: “Following the 2019 incident, the overall security architecture should have been thoroughly strengthened. However, if the same vulnerability still exists, Upbit must bear corresponding responsibility, and the government also needs to re-examine the virtual asset regulatory system.”
A recent report from a multilateral sanctions monitoring agency shows that from 2024 to September 2025, North Korean hackers will steal approximately US$2.037 billion (approximately S$2.6 billion) in cryptocurrency, with US$1.18 billion stolen from January to September this year alone. The stolen assets primarily flowed into China, Russia, and Cambodia, being laundered through over-the-counter transactions and shell accounts. The report warns that cryptocurrencies have become a major source of foreign exchange for North Korea to circumvent sanctions and support its nuclear missile program.
