Ethereum Updates: Lazarus Group's Cross-Chain Theft Reveals Vulnerabilities in Crypto Exchanges

Upbit Crypto Exchange Hack Attributed to North Korea’s Lazarus Group

South Korean officials have traced the recent $30 million cyberattack on the cryptocurrency platform Upbit to the Lazarus Group, a notorious hacking collective associated with North Korea’s intelligence services. The incident, which took place on November 27, involved sophisticated laundering strategies that spanned multiple blockchains.

Attackers utilized both Solana and Ethereum networks to move the stolen funds, quickly distributing assets across 185 different wallets and converting them into ETH within a matter of hours. This approach closely resembled tactics seen in a 2019 Upbit breach, where 342,000 ETH were stolen, further reinforcing suspicions about Lazarus’s involvement. Authorities believe the hackers likely gained access by compromising or impersonating administrator accounts, rather than breaching the servers directly—a method consistent with previous Lazarus operations.

The breach has led to increased regulatory pressure on Dunamu, Upbit’s parent company, which is now facing a record penalty of 35.2 billion won due to delayed incident reporting and issues with data management. The hack also casts uncertainty over Dunamu’s $10.3 billion merger with Naver, announced on the same day as the attack. Regulatory bodies have suspended license renewals for major Korean exchanges for over a year, adding to Dunamu’s challenges. In response, Upbit has promised to fully reimburse affected customers, temporarily halted Solana network transactions, and transferred 70% of its assets to cold storage to enhance security.

Blockchain analysis has highlighted the complexity of the operation. The perpetrators bridged stolen assets from Solana to Ethereum using tokens and liquidity pools on platforms such as Allbridge. While the rapid movement of funds left some traces, the cross-chain mixing made tracking the assets more difficult. The Financial Services Commission has now designated user transaction data as sensitive under the Credit Information Act, intensifying its investigation into Upbit’s security protocols.

Merger Disruption and Strategic Timing

The timing of the hack has drawn attention, coinciding with the announcement of the Dunamu-Naver merger—a move intended to strengthen South Korea’s cryptocurrency sector. Some analysts suggest the attack was deliberately timed to undermine the merger, with the hackers possibly aiming to make a statement during a major industry event. This theory aligns with the Lazarus Group’s history of targeting vital economic infrastructure, especially during periods of heightened geopolitical tension.

Broader Implications and Ongoing Investigations

North Korea’s dependence on cybercrime to generate foreign currency provides further context for the breach. Facing stringent international sanctions, the country’s hacking units have increasingly targeted digital assets, with Lazarus previously implicated in significant thefts both in South Korea and worldwide. In response to the Upbit incident, the Korea Internet & Security Agency (KISA) and financial regulators have launched urgent inspections, highlighting the seriousness of the situation.

As the investigation unfolds, the breach exposes ongoing vulnerabilities in the security and oversight of cryptocurrency exchanges. Upbit’s repeated security failures—in both 2019 and 2025—raise concerns about the effectiveness of protections for hot wallets and cross-chain transactions. Meanwhile, the Lazarus Group’s evolving techniques, particularly their rapid multi-chain laundering, continue to pose a significant risk to the global digital asset ecosystem.