South Korean cryptocurrency exchange Upbit suffered a theft of approximately 44.5 billion won ($32 million) in Solana-based assets, with authorities investigating whether North Korea's Lazarus Group orchestrated the attack, according to Yonhap News Agency.
The breach occurred early Wednesday morning at 4:42 a.m. local time when assets were transferred from a hot wallet to an unidentified external address. The incident occurred exactly six years to the day after Upbit's 2019 hack, when 342,000 ETH worth $50 million at the time was stolen in an attack later attributed to Lazarus and Andariel, North Korean state-linked hacking groups.
Upbit immediately suspended all deposit and withdrawal services for Solana network assets and moved remaining funds to cold storage. The exchange froze approximately 2.3 billion won worth of Solayer (LAYER) tokens and is working with token projects and institutions to freeze additional assets.
Over 20 tokens were affected, including SOL, USDC, BONK, Jupiter (JUP), Raydium (RAY), Render (RENDER), Orca (ORCA), Pyth Network (PYTH), Magic Eden (ME), Official Trump (TRUMP), and various memecoins including Moo Deng (MOODENG) and Cat in a Dogs World (MEW).
"We have identified the exact amount of digital assets that were leaked, and we will fully cover the loss with Upbit's own assets so that customers are not affected in any way," Oh Kyung-seok, CEO of Dunamu, which operates Upbit, said in a statement .
Authorities are planning an on-site investigation at the exchange, with government sources indicating belief that Lazarus was behind the attack. The group has previously targeted crypto platforms to fund North Korean regime activities.
The breach occurred the same day Dunamu announced plans to merge with Naver Financial and invest 10 trillion won over five years to develop AI and Web3 technology infrastructure in South Korea.
Upbit revised its initial loss estimate from 54 billion won to 44.5 billion won after adjusting for market prices at the time of the unauthorized withdrawal. The company confirmed the breach originated from its hot wallet, while its cold wallet storage remained secure.
The exchange said it is conducting a comprehensive security review of its entire digital asset deposit and withdrawal system and will resume services sequentially once safety is confirmed. Upbit is cooperating with investigative authorities and tracking the stolen assets through blockchain analysis.
In the 2019 attack, investigators concluded that more than half the stolen ETH was laundered through exchange accounts created with false identities, using methods typical of the Lazarus Group including wallet hopping and mixing techniques.
