A major security breach occurred on Thursday at Upbit, South Korea’s largest cryptocurrency exchange, resulting in the theft of approximately 44.5 billion KRW (approximately 33.37 million USD) worth of digital assets.
While specifics about the wallets and IP addresses involved in the attack remain undisclosed, analysts suggest this could be the work of sophisticated state-sponsored actors, with North Korea being a prime suspect.
Dunamu, Upbit’s operator, reported that as of 4:42 AM, assets valued at 44.5 billion KRW (approximately 33.37 million USD) were siphoned from the Solana network. The company has notified relevant authorities about the unauthorized withdrawal in compliance with legal protocols.
The incident is currently under investigation by key security agencies, including the Korea Internet & Security Agency (KISA) and the Financial Security Institute.
A KISA spokesperson stated that the perpetrators have not yet been identified.
However, cybersecurity experts concur that given Upbit’s robust security measures and regular vulnerability patching, this attack must be the work of highly skilled hackers.
The possibility of North Korean involvement, potentially seeking funds for political purposes, cannot be dismissed.
Professor Hwang Seok Jin of Dongguk University’s Graduate School of International Information Security noted that six years ago, an attack attributed to North Korea’s Lazarus Group resulted in the theft of about 58 billion KRW (approximately 43.5 million USD) in cryptocurrency from Upbit. He said that while the specifics of the latest fund transfers still need to be verified, the timing and circumstances appear suspiciously similar.
However, he cautioned that some hacker groups deliberately mimic North Korean tactics or signatures to mislead investigators. He noted that when North Korea is suspected, law enforcement agencies sometimes slow or halt pursuit, which can encourage such deception.
Professor Yeom Heung Yeol of Soonchunhyang University also suggested that a state-backed group is likely behind the breach. He argued that compromising both the exchange and private keys requires a level of sophistication beyond that of typical cybercriminals.
Yeom explained that Upbit uses a multi-signature system that requires both exchange and private keys to move funds. By obtaining these, attackers can transfer assets from the hot wallet, the exchange’s online storage, to external addresses.
After a theft, hackers typically use mixing techniques, breaking up and recombining funds across multiple wallets to make tracing more difficult.
Yeom added that U.S. law enforcement agencies, including the FBI, believe North Korean hacking groups target cryptocurrencies to help finance the country’s nuclear weapons program.
Experts stress that swift international cooperation is critical to limiting the damage. Authorities must act quickly to freeze compromised wallets and block efforts to convert the stolen cryptocurrency into cash.
Dunamu has sought to reassure users, saying it will fully cover the losses with Upbit’s own assets so that customers do not suffer financial harm from the incident.