- The Suspect: South Korea links the $30.6M Upbit hack to North Korea’s Lazarus Group.
- The Timing: The breach hit 24 hours after Naver agreed to buy Upbit’s parent for $10B.
- The Method: Hackers likely compromised admin keys, mirroring Lazarus’s 2019 tactics.
South Korean authorities have launched a high-level probe into the security breach at Upbit, with initial forensic markers pointing to North Korea’s state-sponsored Lazarus Group.
The investigation has refined the scope of the damage, confirming a loss of 44.5 billion won ($30.6 million), revised down from initial estimates of $37 million following a precise valuation of the stolen Solana assets.
Related: Upbit Confirms $37M Hack: Exchange Says It Will Cover Every Lost Dollar
The ‘Merger Chaos’ Theory
Investigators are now focused on a critical temporal anomaly: the attack commenced less than 24 hours after tech giant Naver Corp. announced a massive $10.3 billion share-swap deal to acquire Dunamu, the exchange’s parent company.
On Wednesday, Naver Financial confirmed plans to acquire Dunamu as a wholly owned subsidiary. And by Thursday morning, Upbit’s internal alarms triggered.
Related: Naver to Acquire Upbit Operator Dunamu in $10.3 Billion Stock Swap
Attackers siphoned approximately $30.6 million in Solana (SOL) and ecosystem tokens including Bonk and Jupiter, exploiting the operational friction of the corporate transition.
Forensic Signature: The Admin Key
The attack vector bears the distinct signature of the Lazarus Group’s 2019 offensive against Upbit (which resulted in a $50 million ETH loss). Rather than a complex smart contract exploit, this appears to be an “Administrator Compromise.”
Authorities reported that the latest incident showed similarities to the 2019 theft involving administrator-level compromise. According to one official, it is possible the attackers accessed or impersonated internal administrator accounts rather than breaching server infrastructure directly. This technique aligns with previous hacking patterns attributed to Lazarus, which has a documented history of targeting digital-asset platforms.
Upbit Identifies Unauthorized Solana Outflow
Dunamu, the operator of Upbit, confirmed that 44.5 billion won in Solana-affiliated digital assets were moved without authorization. However, the exchange stated that it plans to cover the full amount using its own reserves.
Upbit separately reported an outflow of 54 billion won (nearly $38 million) across multiple Solana ecosystem tokens, including Double Zero (2Z), Official Trump (TRUMP), Bonk, and Jupiter (JUP). The exchange attributed the transfers to a wallet compromise.
Following the detection of the outflow, Upbit suspended deposits and withdrawals to conduct a review of its wallets and security procedures. The exchange stated that it identified the scale of the unauthorized withdrawals immediately and would ensure no losses are passed on to customers.
Geopolitical Context: The Cash Crunch
Analysts note that Pyongyang is facing a critical shortage of foreign currency. With international sanctions tightening, the regime has historically turned to crypto theft to fund strategic objectives.
The complexity of the Upbit operation, moving funds through a high-throughput chain like Solana rather than Bitcoin, suggests an evolution in their money laundering capabilities, designed to outpace tracing tools before the stolen assets can be frozen.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
