Investigations confirm Lazarus Group's involvement in the $30 million hack of Upbit

South Korean investigators attribute the theft of $30 million from Upbit to the North Korean hacking group Lazarus. 

Local authorities have identified digital traces directly linking the Lazarus Group, the infamous hacking organization associated with the North Korean regime, to the recent breach suffered by Upbit. The incident, which resulted in the theft of approximately $30,4 million in tokens from the Solana network, has triggered an unprecedented police mobilization and put the region's financial infrastructure and the crypto market on high alert.

As this publication reported, the attack on Upbit was not a random act. According to initial reports, which were confirmed by the exchange, hackers gained access to Upbit's hot wallet—the online wallet used for daily trading and quick withdrawals—and stole more than 20 types of Solana tokens. This indicates a highly sophisticated attack with in-depth knowledge of the platform's inner workings.

Now, South Korean police say the operation bears the characteristic technical signature of Lazarus, who has made cryptocurrency exchanges his ATM to evade international sanctions. 

Lazarus Group's sophisticated attack on Upbit

According to authorities, this attack is distinguished by the sophistication of its exfiltration and money laundering phases, as the attackers not only stole the assets but also executed an immediate obfuscation maneuver. After gaining access to the funds, they quickly converted the loot to Ethereum, leveraging the network's liquidity to disseminate the money through multiple unknown wallets. 

With this "chain-skipping" technique, hackers sought to break the traceability of transactions, complicating the work of forensic analysts trying to track the money in real time.

La research in situAccording to reports from Yonhap News, South Korea's main news agency, the search is being conducted by security forces at Upbit's offices and seeks to clarify how the exchange's first line of defense was breached. 

Current hypotheses consider disturbing scenarios, from the exploitation of technical vulnerabilities up to the possibility of advanced social engineeringIt is suspected that the hackers may have compromised administrator credentials or even operated under the guise of authorized personnel to validate the illicit transfers.

For the authorities, this modus operandi It resonates with unsettling familiarity in the halls of Upbit. Researchers have noted almost identical parallels with the massive attack the platform suffered in 2019, where hundreds of thousands of ETH vanished. The repetition of tactics suggests that the Lazarus Group not only recycles successful strategies but also maintains constant surveillance over the critical infrastructure of its southern neighbor, waiting for the slightest crack to strike.

Corporate protection against the crisis

Given the magnitude of the incident, the institutional response has been decisive in preventing a loss of investor confidence. Dunamu, the parent company that operates Upbit, took the drastic but necessary step of temporarily suspending deposits and withdrawals, a standard containment measure to prevent further losses while the extent of the damage was assessed. However, the most significant move has been financial.

The company has publicly committed to covering all losses using its own corporate reserves. This promise of full reimbursement aims to send a message of solvency and responsibility to users, who will not bear the cost of the security breach. 

Meanwhile, collaboration with other ecosystem players has begun to bear fruit. The successful freezing of a portion of the stolen assets has been reported, specifically approximately $8 million in LAYER tokens, demonstrating that the industry's response to blacklists and blocks is now more agile than in previous years.