Highlights:
- Investigators have linked Upbit’s $37M crypto heist to known tactics from North Korean hacking groups.
- Lazarus Group remains the prime suspect as South Korean officials track token movements.
- Dunamu has boosted user confidence with full reimbursement and swift controls after the breach.
South Korean authorities are preparing to open a full investigation into the $37M crypto heist after new evidence surfaced on Friday. Officials said transaction patterns from the theft matched methods seen in previous attacks linked to North Korean hackers. They also confirmed plans to enter the exchange for an on-site inspection soon. Analysts noted that the movement of stolen assets raised fresh suspicion of coordinated activity. The incident has pushed the exchange and regulators into immediate crisis mode.
Advertisement
BREAKING: North Korea’s Lazarus Group is suspected to be behind the $30 million hack on South Korea’s Upbit exchange.
This marks yet another attack by the notorious hacking group, which has now stolen over $6 BILLION in cryptocurrency since 2017
In 2025 alone, Lazarus has… https://t.co/bF3KqLmaQz pic.twitter.com/uMnY1dKfQj
— Budhil Vyas (@BudhilVyas) November 28, 2025
Investigators said the theft involved Solana-linked assets worth 44.5 billion won that moved to an unauthorized wallet. They added that the outflows reflected a familiar structure used in the 2019 Upbit hack. In that case, attackers took 58 billion won in Ethereum through a staged internal compromise. Officials now believe the same group may have bypassed core systems by impersonating administrators. They said this technique matched past cases tied to North Korean groups.
Officials also discovered that the hackers spread the stolen tokens to various chains in minutes. According to them, this strategy was meant to disrupt tracking patterns and slow down the recovery operations. Swaps to USDC and subsequent transfers to Ethereum were later verified on-chain by monitors. Investigators indicated that these moves were well planned and highly prepared. They emphasized that the pattern was similar to the previous cases related to North Korean cyber units.
Dunamu Moves to Reimburse Users as Lazarus Group Probe Expands
Dunamu, the operator of Upbit, confirmed the breach on Thursday and halted deposits and withdrawals. The company said it acted quickly to prevent further losses after detecting abnormal movements. It also promised users that balances that were affected would all be refunded in full out of the company’s reserves.
The officials indicated that the new evidence reinforced the ongoing investigation of the Lazarus Group. They pointed out that breach signals matched activity observed in the recent attacks in the region. Authorities also pointed to the increased pressure to align with the US agencies regarding cyber defense. This coordination would assist in monitoring stolen assets across multiple networks before they leave the region. They added that North Korea tends to generate hard currency through these schemes.
South Korean leaders again warned that stolen crypto can support Pyongyang’s weapons programs. They emphasized the need for strict vigilance across exchanges as digital threats increase. Second Vice Foreign Minister Kim Ji-na said Seoul may review its sanctions approach if needed. She stressed that strong cooperation with Washington remains a central priority. Her remarks added urgency to the expanding investigation.
Upbit’s $37M Crypto Heist Heightens Scrutiny on South Korea’s Crypto Oversight
The breach placed new pressure on regulators to evaluate internal safeguards at major trading platforms. Officials said the case revealed weaknesses that require immediate attention. Authorities warned that the latest breach could mark a wider shift in tactics.
The attack also arrived one day after Naver acquired Dunamu through a share-swap deal. This timing drew national interest as the investigation expanded. Naver Financial is also preparing to launch a stablecoin wallet in Busan next month. The firm developed the system with Hashed and the Busan Digital Asset Exchange. This rollout will now move forward under closer public scrutiny.
Naver Financial has acquired Dunamu
📑 About:
Dunamu is a South Korean fintech company that provides a wide range of services with a focus on blockchain.🤝 Acquired by: Naver Financial pic.twitter.com/B0knXJDeQt
— LA Crypto & Research (@LA_Onchain) November 28, 2025
eToro Platform
Best Crypto Exchange
- Over 90 top cryptos to trade
- Regulated by top-tier entities
- User-friendly trading app
- 30+ million users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.
Advertisement
