North Korea's Lazarus hackers steal $30 million from South Korean exchange
North Korea's Lazarus hacking group is suspected of stealing approximately $30.6 million in cryptocurrency from South Korea's largest digital asset exchange, Upbit. The attack marks the second major breach of the exchange by the same group since 2019 and comes amid Pyongyang's efforts to address foreign currency shortages.
North Korean state-sponsored hackers have allegedly executed a major cryptocurrency theft from South Korea's premier digital exchange, marking the latest in a series of cyber operations targeting financial institutions. The Lazarus group stands accused of stealing approximately 45 billion won ($30.6 million) from Upbit, South Korea's largest cryptocurrency platform.
Sophisticated Attack Methodology
South Korean authorities plan to conduct comprehensive on-site investigations at Upbit following the detection of unauthorized transfers totaling 44.5 billion won in Solana-based assets to external wallets. According to government officials cited by Yonhap News, the hackers likely compromised administrator accounts or impersonated authorized personnel rather than directly attacking exchange servers. The techniques employed closely resemble those used in Lazarus's 2019 breach of Upbit that resulted in 58 billion won in Ethereum losses.
Financial Motivations and Laundering Techniques
Security experts indicate the timing of the attack aligns with Pyongyang's ongoing efforts to generate foreign currency amid economic challenges and international sanctions. A security official familiar with the investigation noted that "it is the tactic of Lazarus to transfer crypto to wallets at other exchanges and attempt money laundering," adding that such methods effectively obscure transaction trails. The exchange operator Dunamu has committed to fully compensating affected users utilizing company reserves.
Strategic Timing and Psychological Dimensions
Some analysts have suggested the hackers may have deliberately timed their operation to coincide with significant corporate developments, specifically the announcement that Naver Corporation would acquire Dunamu as a wholly-owned subsidiary through a share-swap agreement. The breach occurred just one day after this major business revelation. Security officials additionally noted the psychological dimension of such attacks, observing that "hackers have a strong tendency toward self-display" in orchestrating high-profile cyber operations.
Comments you share on our site are a valuable resource for other users. Please be respectful of different opinions and other users. Avoid using rude, aggressive, derogatory, or discriminatory language.