North Korean state-linked hackers known as Lazarus are suspected of stealing cryptocurrency from the South Korean exchange Upbit. Authorities in South Korea said that unauthorised withdrawals amounted to about USD 30 million. The exchange detected the withdrawal on a Thursday and began working with regulators to identify the source of the breach. Investigators examining the event said the method used in the intrusion resembles a previous attack on Upbit in 2019.
The hackers removed digital assets from the exchange and transferred the funds through several cryptocurrency wallets. The rapid movement of the stolen funds has made it difficult to recover the assets. The pattern of movements observed after the theft reflects behaviour described in earlier cases linked to Lazarus, including fast transfers between wallets and the use of multiple intermediary accounts.
Upbit reported the intrusion soon after identifying the unauthorised transactions. The company began reviewing internal access controls and transaction logs to determine how the attackers gained entry. It has not yet released details about the point of entry. The incident prompted questions about whether the attackers used compromised credentials or took advantage of weaknesses in account access systems.
Lazarus has been associated with large-scale cryptocurrency thefts for several years. Past incidents linked to the group include the loss of digital assets from other exchanges and from blockchain-based services. The suspected motive in these incidents is the acquisition of foreign currency for the North Korean government, which faces international sanctions that restrict financial activity.
The 2019 breach involving Upbit resulted in the loss of about USD 40 million. Authorities noted that the activity observed in the latest case shares characteristics with that earlier event. These similarities have contributed to the suspicion that the same group carried out the recent theft.
Following public reports of the intrusion, the share price of Upbit’s parent company declined. Investors reacted to concerns about possible regulatory consequences and the effect on customer trust. Upbit said it is continuing to strengthen internal measures and that it is cooperating with government agencies during the investigation.
Authorities are reviewing blockchain records and tracing the movement of funds to identify the wallets involved. Past investigations involving Lazarus have shown that the group frequently distributes stolen funds through many addresses to hide their path. This tactic can complicate efforts to identify where the funds are ultimately stored.
Users of cryptocurrency exchanges are advised to remain cautious about where they store their assets. Holding funds in exchange-based wallets can expose users to losses if a platform is compromised. Cold storage options protect users who do not need immediate access to their assets.
The suspected involvement of Lazarus in the Upbit theft underscores the scale of operations carried out by state-linked hacking groups. Theft of digital assets remains a significant threat to cryptocurrency markets and to users who store assets on centralised platforms.