In short
- Upbit reported on Thursday that approximately $36 million had been withdrawn from its Solana hot wallet.
- Local reports indicate that officials are linking the theft to Lazarus and are planning an on-site investigation.
- Dunamu, the operator, has frozen wallets, taken funds offline and promised full refunds to victims as investigations continue.
South Korean authorities now suspect that the North Korean Lazarus Group was behind the attack Upbit Breach Thursday, according to a Yonhap report released Friday, with investigators preparing an on-site investigation at the fair.
The development follows that of Upbit revelation on Thursday, irregular withdrawals on the Solana network took away about $36 million worth of multiple tokens, prompting Upbit to freeze the affected wallets, take the remaining funds offline and commit to fully refunding customers.
“The abnormal withdrawals occurred from hot wallets. The cold wallets were not subject to any breach or theft,” a spokesperson for Dunamu, Upbit’s operating company, said. Declutter Following the incident, it was confirmed that all assets had been moved to cold wallets “to prevent further withdrawals” and that the exchange “took on-chain measures to freeze transactions.”
The company has also “reported the occurrence of the abnormal withdrawals to the relevant authorities,” in accordance with local law, and is “currently investigating the cause and extent of the outflow,” the spokesperson added.
Declutter has reached out separately to ask Upbit if it can confirm or believe the suspected group is behind the attack.
A representative from PeckShield, the blockchain security company that was the first to get started shared Upbit’s revelation about the anomalous recordings on Thursday, told Declutter that there was no comment yet ‘about the actor behind it’, nor ‘concrete evidence regarding the investigation’.
CertiK, another blockchain security company, maintains analytics dashboard on Upbit through its Skynet program.
The company “tracked the flow of funds from more than 100 operator addresses on Solana” and noted that “the speed and scale of the withdrawals are reminiscent of previous Lazarus-related attacks,” although it does not yet have “definitive evidence in the chain,” a CertiK representative told me. Declutteradding that it will continue to monitor the fund movement “to see if they can be traced back to the Lazarus-related money laundering network.”
The Lazarus group is a North Korean state-affiliated hacking organization that has long been linked to high-impact crypto thefts. The group has been linked to major exploits targeting exchanges, decentralized finance protocols and infrastructure providers.
In February, blockchain data platform launched Arkham Intelligence attributed the Bybit hack to Lazarus. The hack was ranked as the largest theft operation, resulting in a loss of more than $1.4 billion.
Over the years, Lazarus has repeatedly employed a variety of tactics, always going further exchange burglaries Unpleasant attacks on the supply chain and even the compromise of developer environments.
The group is also known to be deployed custom malware clusters that steal crypto, social engineering lure, and huge money laundering infrastructurerouting stolen crypto through mixers and bridges across different chains.
Daily debriefing Newsletter
Start every day with today’s top news stories, plus original articles, a podcast, videos and more.
