 
 
The multi-million-dollar Solana hot wallet breach on crypto exchange Upbit on Thursday was the work of North Korean hackers, South Korean authorities now suspect.
How Lazarus Group Robbed Upbit Again, Six Years Later
The huge theft of 44.5 billion Korean won (approximately $30.4 million) from a Upbit hot wallet, which forced the exchange to suspend deposits and withdrawals, was linked to a group known as Lazarus, according to a Yonhap report.
The development follows Upbit’s announcement on Thursday that it had noted irregular withdrawals on the Solana network, prompting it to move remaining funds offline and commit to fully compensating affected customers.
The hack marked the platform’s second major hot wallet breach in six years. South Korean authorities believe the latest security breach involved the hijacking or impersonation of administrator credentials to authorize the transfers, an attack vector similar to the one used by the infamous Lazarus Group in the 2019 $50 million hack.
The Lazarus Group is a North Korean state-sponsored hacking outfit long associated with high-profile crypto thefts. The group has been tied to major exploits targeting exchanges, decentralized finance protocols, and infrastructure providers.
 
On-chain sleuthing conducted by Arkham Intelligence early this year linked the $1.5 billion hack of crypto exchange Bybit to North Korea’s Lazarus Group, which is one of the largest crypto hacks recorded.
Meanwhile, a wallet seemingly tied to the 2025 Upbit hacker has swapped the ill-gotten Solana tokens for USDC and is bridging funds to Ethereum, on-chain data tracked by Dethective shows.
As ZyCrypto previously reported, the Thursday hack coincided with a major corporate merger announcement involving Upbit’s parent company, Dunamu, and Korean internet giant Naver. Naver Financial announced Wednesday that it will integrate Dunamu as its wholly-owned subsidiary as part of a $10.3 billion all-stock deal.