The Lazarus Group and the Upbit Breach
The Lazarus Group, a notorious cybercrime organization reportedly linked to North Korea, has been identified as a potential actor behind a significant breach at Upbit, South Korea’s largest cryptocurrency exchange, resulting in the theft of approximately $30.6 million. As investigations unfold, financial regulators are preparing to conduct an on-site evaluation of Upbit following evidence suggesting that the attack mirrors previous incidents attributed to Lazarus, according to Yonhap News, which cited sources from both governmental and private sectors.
Details of the Breach
Upbit’s operator, Dunamu, announced on Thursday that approximately 44.5 billion won in Solana-associated assets were illicitly transferred to an unauthorized wallet. In response to the breach, Dunamu has pledged to fully reimburse its users from company reserves and has promptly suspended withdrawal and deposit activities to conduct thorough internal audits.
Investigators noted that the methods utilized in this recent breach bear a striking resemblance to an incident from 2019, where hackers reportedly siphoned off 58 billion won in Ethereum from the same exchange. Authorities suspect the hackers may have compromised internal accounts or impersonated system administrators to manipulate the withdrawal process more effectively. Security experts observed that the stolen assets were quickly funneled through various wallets linked to other platforms, a tactic indicative of Lazarus’s historical approach to obfuscating transaction trails.
“Their customary strategy involves dispersing tokens across multiple networks to evade tracking measures,” remarked a security official.
Analysts suggested that the strategic targeting of prominent cryptocurrency exchange platforms by Lazarus aims to maximize financial impact and media coverage, hinting at a calculated move to capitalize on increased public interest in cryptocurrency.
Implications for South Korea
In the wake of this cyberattack, South Korea is reconsidering its sanctions against North Korea, especially after U.S. sanctions highlighted the connection between Pyongyang’s cryptocurrency thefts and their financing of weapons programs. Second Vice Foreign Minister Kim Ji-na emphasized the need for collaborative coordination with the United States to combat the cyber and digital threats posed by North Korea, stating,
“In instances of cryptocurrency theft orchestrated by Pyongyang, U.S.-South Korea coordination is crucial, as these funds may finance North Korea’s missile and nuclear ambitions and threaten our digital security.”
Context of the Breach
Notably, this cyber breach occurred just a day after Naver, a major player in the South Korean tech industry, announced plans to acquire Dunamu in a share-swap arrangement, drawing significant attention to the exchange. Further adding to Naver’s initiatives, their fintech subsidiary is set to launch a stablecoin wallet in Busan next month, a move aligned with the city’s ambition to advance a blockchain-based economy. This digital wallet project, developed in collaboration with venture capital firm Hashed and the Busan Digital Asset Exchange (BDAN), is currently undergoing final evaluations as the launch approaches.
