South Korean investigators deepen Upbit hack probe as Lazarus Group link strengthens

South Korean regulators are intensifying scrutiny of the Upbit hack as investigators connect the incident to a broader pattern of North Korean cyber operations, well-known as Lazarus Group.

What do South Korean authorities say about the Upbit incident?

South Korean authorities now suspect that North Korea’s Lazarus Group executed the recent attack on Upbit, one of the country’s largest cryptocurrency exchanges. According to a report by YONHAP NEWS AGENCY, the breach resulted in the theft of approximately 44.5 billion won ($30.4 million). The incident surfaced after the platform detected suspicious activity affecting customer assets.

Officials noted that confidence in Lazarus’s involvement has grown as the investigation progressed. Moreover, they emphasized that the scale and sophistication of the theft resemble earlier operations linked to North Korean actors. Authorities are coordinating with domestic cybersecurity teams and international partners to verify the attribution and recover as many funds as possible.

How did Upbit detect the abnormal activity?

On Thursday, Upbit identified unusual withdrawals involving Solana-based crypto assets. In response, the exchange halted all deposit and withdrawal services, aiming to contain any further outflows. The platform quickly launched an internal review to trace the origin of the transfers, which involved substantial sums across several wallets.

Initially, the company reported losses of 54 billion won ($36.8 million). However, after further reconciliation, that figure was revised down to 44.5 billion won ($30.4 million). Upbit’s rapid suspension of services helped limit additional damage. That said, the incident triggered renewed concerns about cryptocurrency exchange security in South Korea’s fast-growing digital asset market.

Why is Lazarus Group suspected in the Upbit exchange hack?

Investigators highlight clear similarities between this latest theft and a major incident that struck Upbit in 2019. That earlier attack, which South Korean police also attributed to Lazarus, led to the loss of 342,000 ETH. Moreover, both operations involved large-scale crypto outflows executed in a short time frame.

Authorities believe the hackers may have compromised administrator accounts or impersonated internal staff to authorize withdrawals. These intrusion techniques align with previously documented lazarus group attribution patterns. “We are closely inspecting the situation to confirm whether Lazarus is involved,” a government official stated, underscoring that the inquiry remains active.

How is blockchain analysis tracing the stolen funds?

Investigators are focusing heavily on blockchain analysis tracing to follow the movement of the stolen assets. On-chain data shows that the hacker’s wallet swapped Solana tokens for USDC, a leading stablecoin. The funds were then moved via an USDC bridge to the Ethereum network, a typical tactic used to obscure transaction trails.

Blockchain analytics provider Dethective flagged a series of addresses and transaction patterns matching the timeline of the attack. Furthermore, the routing and conversion behavior mirrors strategies seen in previous Lazarus-linked campaigns. This overlap has reinforced investigators’ working theory that the same state-backed group is behind the new Upbit incident.

What are the implications of the Upbit security breach for users?

The latest upbit security breach has raised hard questions about how crypto platforms protect customer assets amid escalating cyber threats. While Upbit’s swift response limited the overall loss, users remain concerned about potential future incidents. Moreover, the recurrence of an attack resembling the 2019 theft has intensified calls for stronger oversight and technical standards.

Regulators are expected to review internal control requirements for trading venues, especially around admin account management and real-time monitoring of large transfers. Exchanges may face pressure to increase cold storage ratios, upgrade multi-signature schemes, and enhance incident disclosure practices to rebuild user confidence.

How does the Naver Financial merger affect the fallout from the hack?

The recent Upbit hack coincided with a strategic announcement from Naver Financial. The company confirmed its plan to merge with Dunamu, the operator of Upbit, and integrate it as a subsidiary. This move aims to strengthen Naver Financial’s position in the digital asset and fintech sectors, despite the ongoing investigation.

Market observers note that the naver financial merger could provide Upbit with greater resources to bolster its security stack. However, it also increases scrutiny on both entities to demonstrate robust risk management. In particular, investors will watch how the combined group addresses vulnerabilities exposed by the attack.

What is next for Upbit after the hack?

Despite the turmoil, Upbit is pressing ahead with its long-term growth strategy alongside Naver Financial. The integration is expected to expand Upbit’s technical capacity, liquidity access, and compliance infrastructure. That said, the platform must now prove it can prevent another high-profile breach while operating at larger scale.

In summary, South Korean authorities are tightening their probe into the Upbit hack, using detailed on-chain forensics and historical patterns to support a likely connection to Lazarus Group. The outcome of this investigation, combined with the merger’s completion, will shape how users and regulators view the exchange’s resilience in an increasingly hostile cyber environment.