Upbit, South Korea’s largest cryptocurrency exchange, fell victim to a hack resulting in the theft of approximately 445 billion KRW (about 302.6 million USD) worth of Solana-related digital assets. Authorities have launched an investigation, with North Korean involvement emerging as a primary suspect.
According to reports from officials and cybersecurity experts on November 28, the Financial Supervisory Service and the Korea Internet & Security Agency (KISA) conducted an on-site inspection of Upbit the previous day. They are seriously considering the possibility that Lazarus, a hacking group affiliated with North Korea’s Reconnaissance General Bureau, may be responsible for the attack.
The blockchain industry has also raised suspicions about North Korean involvement. Two key factors lend weight to the theory that Lazarus orchestrated this attack:
First, the hacking method bears a striking resemblance to Lazarus’s previous cryptocurrency heists. Second, the timing of the hack coincides with both the joint press conference of Dunamu (Upbit’s operator) and Naver, and the anniversary of a previous Upbit hack six years ago.
A notable example of Lazarus’s past operations is the 2022 attack on Ronin, the side blockchain platform for the popular game Axie Infinity. In that incident, Lazarus employed a strategy of draining assets from multiple hot wallets, consolidating them into a single wallet, and then dispersing them across several wallets.
In the recent Upbit hack, the perpetrators are following two main tracks to launder the stolen funds. Initially, they extracted Solana (SOL) from several Upbit wallets, pooled it into one wallet, and then distributed it across multiple wallets. These scattered Solana assets are now being funneled towards Binance, the world’s largest cryptocurrency exchange.
Upbit’s disclosure of wallet addresses reveals a predominance of Solana wallet addresses, indicating that the hackers targeted multiple Upbit Solana wallets.
The hackers are also converting 23 types of Solana-related digital assets into Wrapped Solana (SOL), with some being further exchanged for Ethereum (ETH). Wrapped Solana is a token that maintains a 1:1 peg with Solana but operates on different blockchains.
This consolidation of stolen funds into Solana (SOL) and Ethereum (ETH) is a typical precursor to cashing out in the world of cryptocurrency theft.
A cybersecurity expert explained that consolidating stolen assets into high market cap coins like Solana or Ethereum, which are universally listed, facilitates easier liquidation later. The hackers will likely consolidate into a major coin like Solana, then employ multiple rounds of mixing – dispersing assets across various wallets – before attempting to cash out. These days, hackers tend to liquidate their stolen assets over extended periods.
The seemingly deliberate choice of date for the hack further fuels suspicions of North Korean involvement.
The Upbit hack occurred on November 27, mirroring the date of a previous Upbit hack in 2019 and coinciding with a joint press conference by Dunamu and Naver. Notably, the 2019 Upbit hack was later attributed to Lazarus and the North Korean hacker group Andariel following police investigations.
Despite these suspicions, KISA and the Financial Supervisory Service, who conducted the on-site inspection, remain cautious in their statements. A KISA official stated that the investigation is ongoing, and it cannot comment on potential culprits at this stage.
A representative from the Financial Supervisory Service added that the primary focus is on assessing the operator’s financial stability and ensuring user protection. While they are investigating the cause of the hack, identifying the perpetrators falls under KISA’s jurisdiction.
In light of the recent surge in stablecoin trading volumes, some experts speculate that the hackers may not necessarily aim to cash out conventionally. Instead, they might convert the stolen assets into Solana and Ethereum, ultimately transitioning to stablecoins.
A cybersecurity analyst elaborated that given the increasing global adoption of stablecoins as a cash equivalent, there’s less pressure to convert to fiat currency. Traditional cash-out methods require using centralized exchanges, which carry risks of detection and asset freezing. Consequently, the hackers might opt to retain the stolen funds in stablecoins.