South Korean authorities reportedly believe that North Korea’s Lazarus group carried out the Upbit hack, while the sophisticated Solana-based tokens are rapidly converted into Ethereum across 185 wallets within hours.
The breach occurred as Dunamu, Upbit’s parent company, announced a landmark $10.3 billion merger with Naver. The coincidence has heightened uncertainty for both firms amid ongoing investigations and regulatory pressure.
Sponsored
Sponsored
Authorities Suspect North Korea-backed Lazarus
Authorities are investigating the 44.5-billion-won ($30 million) Upbit hack as a likely operation by North Korea’s Lazarus group. The attack reused a 2019-style hot-wallet breach, with hopping and mixing activity suggesting deliberate laundering. Financial regulators and the Korea Internet & Security Agency (KISA) have visited Dunamu’s headquarters and have launched emergency on-site inspections to assess the damage and security failures.
The Upbit security breach revealed highly advanced cross-chain money laundering techniques. On-chain data analyzed on November 28 showed the attacker swapped 24 Solana-based tokens for WSOL (Wrapped Solana) and SOL before scattering funds across 185 wallets. The attacker rapidly bridged stolen assets across chains and converted them into ETH, accumulating over $1.6 million after draining Upbit’s hot wallet.
Market observers noted the sophistication of the operation. One analyst tracking the fund’s movements in real time noted that bridging activity via Allbridge created arbitrage gaps due to thin liquidity pools. Each transfer of $200,000 to $300,000 left clear traces for those following blockchain flows closely.
Ongoing Penalties Complicate the Future
The hack adds to Dunamu’s ongoing regulatory woes. Earlier in November, the Financial Intelligence Unit (FIU) under Korea’s Financial Services Commission levied a record 35.2 billion KRW fine ($26.5 million) on the exchange operator for violating requirements on the reporting and use of specified financial transaction information. This is the heaviest penalty the FIU has issued to a crypto firm.
These violations included failing to conduct required customer due diligence 5.3 million times, failing to block 3.3 million unauthorized transactions, and 15 unreported suspicious activities. Beyond the fine, regulators imposed a three-month partial business suspension and reprimanded nine executives. Dunamu has appealed the suspension, with the subsequent trial scheduled next week.
Sponsored
Sponsored
The penalties have frozen Virtual Asset Service Provider (VASP) license renewals for over a year. All major Korean won trading exchanges, including Upbit, now operate on extended licenses while Dunamu awaits the outcome of its case. Under Korean law, the usual three-year renewal process remains on pause until sanctions are resolved. The impasse impacts the entire Korean cryptocurrency sector.
Industry experts note that the potential business suspension may block Dunamu from independently entering new ventures. However, the merger with Naver could offer a way forward. Through Naver’s acquisition, Dunamu might be able to access new markets despite direct regulatory hurdles.
However, the hack is complicating the situation. If internal failures are confirmed, Dunamu could face additional penalties. Such sanctions may make its VASP license renewal even more difficult. Conversely, if Lazarus’ involvement is confirmed, Upbit could gain a partial exemption, as it did after the attack six years ago. That case produced conclusions only after five years. A similar timeline may delay regulatory judgments this time as well.
Authorities are reviewing possible internal control failings. Dunamu temporarily halted all deposits and withdrawals on Upbit, launched internal security checks, and pledged to work with analytics firms and law enforcement to freeze stolen assets. The company also committed to fully reimbursing customers for their losses.
Merger Aims for Next-Gen Financial Infrastructure—but Faces Hurdles
The announcement of the merger—on the same day as the Upbit hack—now faces increased skepticism. At a November 27 press conference at Naver headquarters in Seongnam, executives outlined plans to combine the companies in an all-stock deal worth $10.3 billion. The transaction will issue 87.56 million new Naver shares and aims to achieve three main goals.
First, the new company intends to design next-generation financial infrastructure to diversify revenue beyond exchange operations. Second, it plans to address new payment needs by issuing and circulating a KRW-backed stablecoin for local and international settlements. Third, the entity will pursue global expansion by merging Dunamu’s blockchain expertise with Naver’s broad Asian user base.
The merged firm hopes to leverage both blockchain and Web3 technology, alongside artificial intelligence. Naver’s substantial platform reach, including Line Messenger, could fuel rapid international growth, something most blockchain startups struggle to achieve. Executives also raised the possibility of seeking a US Nasdaq listing, but only if shareholder value can be proven.
The hack, again, introduces new complications. Regulators may now scrutinize Dunamu’s security measures more closely as part of the merger review. The situation also raises concerns about whether Naver’s acquisition can proceed amid active criminal and regulatory probes. Other market shifts—such as Binance’s recent acquisition of the exchange Gopax—are further shaping the regulatory landscape.
If Dunamu’s case for VASP license renewal is resolved, reviews for all platforms could resume, potentially ending the logjam that has stalled the industry for over a year. The outcomes of legal proceedings and investigations following the hack may determine whether the merger proceeds smoothly or faces delays and restructuring.