Ethereum News Today: Lazarus Group's Multi-Chain Heist Exposes Crypto Exchange Weaknesses

Generated by AI AgentCoin WorldReviewed byAInvest News Editorial Team
Friday, Nov 28, 2025 3:22 am ET1min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
Aime RobotAime Summary

- South Korean authorities attribute Upbit's $30M hack to North Korea's Lazarus Group, using multi-chain laundering via

Solana
and
Ethereum
.

- Attack mirrored 2019 incident, targeting admin accounts, intensifying scrutiny of Dunamu’s $35.2B fine and merger with Naver.

- Hack occurred during Dunamu-Naver merger announcement, raising suspicions of disruption intent, aligning with Lazarus’s geopolitical tactics.

- North Korea’s sanctions-driven cyberattacks highlight global risks as Lazarus evolves tactics, exposing crypto exchange vulnerabilities.

South Korean authorities have linked the $30 million hack of cryptocurrency exchange Upbit to North Korea's Lazarus Group, a hacking unit tied to the country's intelligence apparatus. The breach, which occurred on November 27, involved advanced multi-chain laundering techniques using

Solana
and
Ethereum
, with stolen assets
rapidly dispersed across 185 wallets
and converted into ETH within hours. The attack
mirrored methods used in a 2019 incident
at Upbit, where 342,000 ETH were stolen, further strengthening suspicions of Lazarus's involvement. Government officials
noted that the hackers likely
compromised administrator accounts or impersonated administrators rather than directly attacking servers, a tactic consistent with past Lazarus operations.

The hack has intensified regulatory scrutiny of Upbit's parent company, Dunamu, which now

faces a record 35.2 billion won
fine for delayed reporting and data-handling issues. The breach also threatens the $10.3 billion merger between Dunamu and Naver, announced on the same day as the hack. Regulators have frozen license renewals for major Korean exchanges for over a year, compounding Dunamu's challenges. Upbit has
pledged to fully compensate affected users
, freezing deposits and withdrawals on the Solana network and shifting 70% of assets to cold storage to prevent further losses.

On-chain analysis revealed the sophistication of the attack. The hackers used Solana-based tokens to bridge funds to Ethereum, leveraging liquidity pools through platforms like Allbridge. Market observers noted that the rapid transfers left detectable traces, though the mixing of funds across chains obscured the trail. The Financial Services Commission has

classified user transaction data as sensitive
under the Credit Information Act, intensifying its probe into Upbit's security practices.

The timing of the hack has raised eyebrows. It occurred as Dunamu and Naver announced their merger, a move aimed at consolidating South Korea's crypto ecosystem. Experts

speculate the attack may have been
timed to disrupt the merger, with hackers potentially "showing off" by striking during a high-profile event. This theory aligns with Lazarus's history of targeting critical economic infrastructure, particularly during periods of geopolitical tension.

North Korea's reliance on cyberattacks to generate foreign currency further contextualizes the breach. The country's severe economic sanctions have pushed its hacking units to exploit digital assets, with Lazarus previously linked to major heists in South Korea and globally. The Korea Internet & Security Agency (KISA) and financial regulators have launched emergency inspections of Upbit, underscoring the gravity of the incident.

As investigations continue, the incident highlights vulnerabilities in crypto exchange security and regulatory frameworks. Upbit's repeated breaches-both in 2019 and 2025-raise questions about the adequacy of safeguards for hot wallets and cross-chain transactions. Meanwhile, the Lazarus Group's evolving tactics, including rapid multi-chain laundering, pose a growing threat to global digital asset markets.