Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The Lazarus Group, widely known for its long-running cyber operations linked to North Korea, is emerging as the leading suspect in the recent attack on Upbit that resulted in the loss of approximately ₩44.5 billion (about $30 million). The intrusion, which originated from a compromised hot wallet, follows patterns that closely resemble Upbit’s 2019 incident—an attack that investigators later attributed to Lazarus. This new breach has prompted a swift regulatory response and raised concerns about Dunamu’s ongoing licensing matters and its merger prospects involving Naver Financial.
What Happened: Hot Wallet Exploit with Lazarus Signatures
Investigators reviewing early blockchain data have pointed out several familiar elements from past Lazarus-linked operations. The attackers gained access through a hot wallet, moved assets rapidly through a series of wallets, and employed mixers to fragment and conceal the trail—techniques that mirror the 2019 Ethereum theft from the same exchange.
The stolen assets were primarily Solana-based tokens. In the immediate aftermath, Upbit suspended deposits and withdrawals, transferred remaining funds to cold storage for safety, and managed to freeze roughly ₩2.3 billion of the compromised amount. The company later confirmed it will cover the remaining ₩38.6 billion in customer losses using its internal reserves.
Source: blockhead.co
Regulators Launch Emergency Inspections
South Korea’s Financial Services Commission (FSC) and the Korea Internet & Security Agency (KISA) quickly initiated emergency on-site inspections. These reviews, which will continue through December 5, are focused on the exchange’s internal security measures, compliance controls, and the handling of its hot wallet systems.
Source: ainvest.com
Officials have indicated that the findings could influence several regulatory decisions heading into 2026, including how exchanges manage operational risk and store customer assets.
Dunamu Faces Additional Pressure
The breach comes at a difficult moment for Dunamu, Upbit’s operator. Earlier in the month, the company received a ₩35.2 billion penalty and a three-month partial business suspension tied to unrelated compliance issues. Its VASP license renewal is already on hold, and the pending merger involving Naver Financial will now face tighter scrutiny.
Source: cryptonews.net
Depending on whether regulators determine that internal failures contributed to the breach, Dunamu could face new penalties. Conversely, if authorities confirm Lazarus involvement, regulators may consider applying similar leniency to what followed the 2019 attack.
Fact Check and Clarifications
“Upbit users lost funds.”
False. Upbit has confirmed it will fully reimburse affected customers from its reserves.
“The attack was carried out internally.”
Unverified. Investigators have not identified insider involvement. Current evidence aligns more closely with known Lazarus attack structures.
“Lazarus activity has diminished.”
Incorrect. Multiple high-profile incidents across 2024 and 2025 have been linked to Lazarus by blockchain analytics firms.
“The hack will not affect Dunamu’s merger plans.”
Uncertain. The review may delay or complicate approval processes.
Broader Implications for the Web3 Sector
The incident highlights ongoing challenges for centralized exchanges that continue to rely on hot wallet infrastructure. Even with improved security standards, the complexity of high-volume trading environments presents openings for highly sophisticated attackers. As South Korea continues refining its regulatory approach, requirements around cybersecurity, cold storage practices, and operational transparency may become significantly stricter in the coming year.
Conclusion
Although customers will be refunded, Upbit and Dunamu now face an extended period of regulatory examination and heightened public scrutiny. The suspected involvement of the Lazarus Group underscores the growing sophistication of state-backed cyber operations targeting digital asset platforms. The outcome of this investigation is likely to influence not only Upbit’s future but also broader policies governing South Korea’s digital asset industry.
