{"id":60955,"date":"2025-11-28T20:01:34","date_gmt":"2025-11-28T20:01:34","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=60955"},"modified":"2025-11-28T20:01:34","modified_gmt":"2025-11-28T20:01:34","slug":"32-million-crypto-heist-north-koreas-lazarus-suspected-in-upbit-breach","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=60955","title":{"rendered":"$32 Million Crypto Heist: North Korea\u2019s Lazarus Suspected In Upbit Breach"},"content":{"rendered":"
\n

South Korea\u2019s largest cryptocurrency exchange, Upbit, is facing a second major security crisis after 44.5 billion won (around $30\u201332 million) in digital assets were drained from a hot wallet, with authorities \u201cstrongly\u201d suspecting North Korea\u2019s Lazarus Group.<\/p>\n

According to ICT industry sources and government officials cited by Yonhap News on November 28, investigators are focusing on Lazarus, a hacking unit under North Korea\u2019s Reconnaissance General Bureau, as the likely perpetrator. The group was also suspected in Upbit\u2019s 2019 breach<\/a>, when approximately 58 billion won in Ethereum was stolen.<\/p>\n

North Korean Crypto Hackers Strike Again<\/h2>\n

The latest incident<\/a> again centers on a hot wallet \u2014 an internet-connected operational wallet \u2014 replicating the core vulnerability of 2019. A government official quoted by Yonhap said the attack likely did not involve a deep server exploit but instead an administrative compromise: \u201cRather than a server attack, it\u2019s possible they compromised an administrator account or impersonated an administrator to transfer funds,\u201d adding that because the earlier hack used this method, \u201cwe consider this approach the most likely.\u201d<\/p>\n

Security experts point to the post-hack on-chain behavior as key circumstantial evidence. After the theft, the funds were rapidly \u201chopped\u201d through other exchange wallets and then subjected to \u201cmixing,\u201d a laundering technique designed to break traceability.<\/p>\n

One expert noted that \u201cfunds were hopped to other exchange wallets before mixing occurred. This can be seen as the modus operandi of the Lazarus Group,\u201d adding that \u201conce mixing occurs, transactions become untraceable.\u201d Because FATF member countries cannot legally operate mixing services, the expert argued it is \u201chighly likely North Korea<\/a> was responsible.\u201d<\/p>\n

The timing has raised additional suspicion. The hack occurred on November 27, the same day Naver and Upbit operator Dunamu held a high-profile joint press conference at Naver\u2019s \u201c1784\u201d headquarters to present their group-integration and AI\/Web3 expansion strategy.<\/p>\n

A security expert suggested the date may have been intentionally chosen: \u201cHackers often have a strong desire to show off. It\u2019s possible they chose the 27th as the hacking date to flaunt their timing, selecting the very day of the merger announcement.\u201d The attack also lands almost exactly six years after Upbit\u2019s 2019 hack, which occurred on November 27.<\/p>\n

Regulatory and supervisory bodies have moved quickly. Following a December interpretation by the Financial Services Commission that virtual asset exchanges\u2019 user transaction data falls under the Credit Information Act, the Financial Supervisory Service and the Korea Financial Security Institute have launched an on-site inspection of Upbit. The Korea Internet & Security Agency has joined to provide technical support.<\/p>\n

At press time, the total crypto market cap stood at $3.07 trillion.<\/p>\n

\"Total<\/div>\n","protected":false},"excerpt":{"rendered":"

South Korea\u2019s largest cryptocurrency exchange, Upbit, is facing a second major security crisis after 44.5 billion won (around $30\u201332 million) in digital assets were drained from a hot wallet, with authorities \u201cstrongly\u201d suspecting North Korea\u2019s Lazarus Group. According to ICT industry sources and government officials cited by Yonhap News on November 28, investigators are focusing […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-60955","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/60955","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60955"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/60955\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}