North Korean fingerprints on $30 million hack of South Korea's largest cryptocurrency exchange, says Seoul
Published: 28 Nov. 2025, 14:39
Updated: 30 Nov. 2025, 17:07
![The price of Bitcoin is displayed on an electronic board at Upbit’s customer center in Gangnam District, southern Seoul, on Nov. 5. [NEWS1]](https://koreajoongangdaily.joins.com/data/photo/2025/11/30/41d3e513-e6fb-4b13-8ef7-ec9a6c47e25b.jpg)
The price of Bitcoin is displayed on an electronic board at Upbit’s customer center in Gangnam District, southern Seoul, on Nov. 5. [NEWS1]
Regulators are investigating a 44.5 billion won ($30 million) hack at Upbit, Korea’s largest cryptocurrency exchange, with early evidence pointing to Lazarus, the North Korean hacking unit blamed for major digital heists worldwide.
Teams from the Ministry of Science and ICT and financial authorities launched an on-site inspection at Upbit after concluding the attack likely came from the Lazarus Group, which is linked to North Korea’s General Reconnaissance Information Bureau, according to government and industry officials on Friday. The bureau is a North Korean intelligence agency that manages Pyongyang's clandestine operations.
Lazarus was also tied to a 58 billion won theft of Ethereum from Upbit in 2019. Both breaches involved a hot wallet connected to the internet.
"It is more likely that the hackers stole an administrator account or impersonated an administrator to transfer funds rather than attacking the server,” a government official said. “Because the attack six years ago used that method, we see it as the most plausible scenario [at this point].”
Security analysts say the final determination will depend on the investigation, but note that North Korea faces a severe shortage of foreign currency, raising the likelihood it targeted the exchange again.
"The hackers hopped the stolen assets to wallets at other exchanges and carried out mixing, which points to Lazarus’ methods," one cybersecurity expert said.
"Once mixing occurs, transactions become impossible to trace, but countries that follow Financial Action Task Force rules do not allow mixing, so this increases the likelihood it was North Korea," the expert added.
![Passersby walk across Naver’s headquarters in Seongnam, Gyeonggi, on Nov. 27. Naver and Dunamu, operator of Upbit, announced a planned group merger during a joint press conference at Naver's office the same day. [YONHAP]](https://koreajoongangdaily.joins.com/data/photo/2025/11/30/37e025fa-c4af-4275-8391-cdac04c7bb00.jpg)
Passersby walk across Naver’s headquarters in Seongnam, Gyeonggi, on Nov. 27. Naver and Dunamu, operator of Upbit, announced a planned group merger during a joint press conference at Naver's office the same day. [YONHAP]
The hack occurred on Thursday, the same day Naver Financial and Upbit operator Dunamu held a press briefing on their planned merger, a timing some analysts say may have been intentional.
The expert said “hackers often show strong tendencies toward boasting” and added “they may have chosen Thursday out of a desire to show off that they struck on the day of the merger event.”
The Financial Services Commission ruled in December last year that user transaction data held by cryptocurrency exchanges falls under the Credit Information Act. On that basis, the Financial Supervisory Service and the Financial Security Institute are conducting inspections at Upbit.
The Korea Internet and Security Agency has also deployed staff to support the probe.
This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY JUNG SI-NAE [[email protected]]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)