Upbit Solana Hack 2025: Why North Korea Lazarus Group in Focus?

Upbit Solana Hack 2025: What Happened, Who Suspected & How It Impacts?

On November 27, 2025, South Korea, the largest crypto exchange, was hacked, due to which Solana tokens lost worth $30 million. In a similar attack in 2019, authorities are looking into the Lazarus Group of North Korea.

Upbit Solana Hack 2025: What Happened?

Upbit verified that about 44.5 billion KRW ($30.43 million) was stolen out of a hot wallet that contained Solana-based assets, such as BONK, JTO, USDC, ORCA, METO, and RAY.

Hackers used hopping (transfer of funds between various wallets) and mixing (laundering to conceal transactions), which had been previously associated with the Lazarus hacking group. 

After the hack, Upbit halted deposits and withdrawals, moved any remaining funds to cold storage, and promised users that they would be reimbursed for all their funds using company reserves.

Source: Wu Blockchain X

Is There Any Real Connection with North Korea?

• The South Korean government is investigating the Lazarus Group, which is linked to the Reconnaissance General Bureau of North Korea. In 2019, the group had stolen 58 billion KRW (~$49 million) of Ethereum at Upbit.

• Government officials propose that hackers stole administrator accounts or impersonated administrators, a technique similar to that of 2019. 

• North Korea is also cited by security experts as the reason behind the shortage of foreign currency. 

• On-chain analysis indicates mixing and hopping, which are in line with the signature techniques of Lazarus.

What Coincides with the Hack?

This attack was committed on the same day as the announcement of the acquisition of Dunamu, the parent company of Upbit, by Naver, at $10.3 billion. Analysts believe that the attack might have been planned by hackers to create the greatest attention.

It is also the 6th anniversary of the 2019 Ethereum hack, which indicates that despite numerous security upgrades, centralized exchange hot wallets are still vulnerable.

What do Upbit and the Authorities Respond and React?

The South Korea Exchange instantly froze 2.3 billion KRW of stolen money ($1.57 million) and transferred untouched assets to cold storage. The company assured the users that any loss would be fully refunded.

Regulators such as the Financial Supervisory Service, Financial Security Institute, and KISA initiated on-site checks, which are likely to continue until December 5, 2025. These checks are also meant to track the stolen property, stop additional thefts, and check compliance with the regulations.

How Does It Impact the Crypto Markets?

After the attack, Solana-related coins on Upbit shot up as withdrawals were halted. For example:

• ORCA was trading at a 25%premium to global markets.

• METO rose 85%, RAY 48% within a week.

Source: X

These spikes indicate short-term arbitrage but risk volatility to the traders. The event highlights the continued susceptibility of centralized exchanges and the market implications of high-profile cyberattacks.

Conclusion

This hack highlights the repetitive security issues that face centralized exchanges, possible cyber threats by North Korea, and market instability, and authorities are moving quickly to recover the money and assure customers.

Disclaimer: This article is for informational purposes only and does not constitute financial advice.