The South Korean cryptocurrency market is not only the craziest retail casino in the world but also the most convenient "ATM" for North Korean hackers.
Written by: Deep Tide TechFlow
The market has rebounded, but exchanges have been hacked again.
On November 27, South Korea's largest cryptocurrency exchange, Upbit, confirmed a security breach that resulted in the loss of assets worth approximately 54 billion Korean won (about 36.8 million USD).
At 4:42 AM KST on November 27, while most South Korean traders were still asleep, Upbit's Solana hot wallet address experienced an abnormal large-scale outflow of funds.
According to on-chain monitoring data from security agencies like SlowMist, the attackers did not transfer a single asset but instead conducted a "complete" plunder of Upbit's assets on the Solana chain.
The stolen assets included not only the core token SOL and stablecoin USDC but also covered almost all mainstream SPL standard tokens within the Solana ecosystem.
List of Stolen Assets (Partial):
DeFi/Infrastructure: JUP (Jupiter), RAY (Raydium), PYTH (Pyth Network), JTO (Jito), RENDER, IO, etc.
Meme/Community: BONK, WIF, MOODENG, PENGU, MEW, TRUMP, etc.
Other Projects: ACS, DRIFT, ZETA, SONIC, etc.
This characteristic of a complete sweep indicates that the attackers likely gained access to the private key permissions of Upbit's Solana ecosystem hot wallet or that the signing server was directly controlled, allowing them to authorize transfers of all SPL tokens under that wallet.
For Upbit, which holds 80% of the market share in South Korea and prides itself on having the highest security certification from the Korea Internet & Security Agency (KISA), this is undoubtedly a painful "breach."
However, this is not the first time a South Korean exchange has been hacked.
If we extend the timeline, we will find that the South Korean cryptocurrency market has actually been visited by hackers, especially North Korean hackers, over the past eight years.
The South Korean cryptocurrency market is not only the craziest retail casino in the world but also the most convenient "ATM" for North Korean hackers.
Chronicle of Eight Years of North-South Cyber Warfare
From early brute-force attacks to later social engineering infiltrations, the methods of attack have continuously evolved, and the suffering history of South Korean exchanges has also been prolonged.
Total Losses: Approximately 200 million USD (based on the price at the time of theft; if calculated at current prices, it exceeds 1.2 billion USD, with the 342,000 ETH stolen from Upbit in 2019 alone now worth over 1 billion USD)
- 2017: The Wild Era, Hackers Target Employees' Computers
2017 marked the beginning of the cryptocurrency bull market and the start of nightmares for South Korean exchanges.
That year, South Korea's largest exchange, Bithumb, was the first to "fall victim." In June, hackers infiltrated a Bithumb employee's personal computer, stealing personal information from approximately 31,000 users, and subsequently launched targeted phishing attacks using that data, making off with about 32 million USD. Investigations revealed that unencrypted customer data was stored on the employee's computer, and the company had not even installed basic security update software.
This exposed the poor state of security management at South Korean exchanges at the time, where even the common sense of "do not store customer data on personal computers" had not been established.
More notably, the mid-sized exchange Youbit faced its demise. This exchange suffered two devastating blows within a year: in April, it lost nearly 4,000 bitcoins (about 5 million USD), and in December, it was hacked again, losing 17% of its assets. Overwhelmed, Youbit declared bankruptcy, allowing users to withdraw only 75% of their balances, with the remaining portion subject to a lengthy bankruptcy liquidation process.
After the Youbit incident, the Korea Internet & Security Agency (KISA) publicly accused North Korea of being the mastermind behind the attacks. This sent a signal to the market:
Exchanges were no longer facing ordinary cyber thieves but state-level hacker organizations with geopolitical motives.
- 2018: The Hot Wallet Heist
In June 2018, the South Korean market experienced consecutive blows.
On June 10, the mid-sized exchange Coinrail was attacked, losing over 40 million USD. Unlike previous incidents, this time the hackers primarily plundered popular ICO tokens (such as NPXS from Pundi X) rather than Bitcoin or Ethereum. Following the news, Bitcoin's price briefly plummeted by over 10%, and the entire cryptocurrency market evaporated over 40 billion USD in value within two days.
Just ten days later, South Korea's leading exchange Bithumb also fell victim, with its hot wallet hacked for approximately 31 million USD worth of XRP and other tokens. Ironically, just days before the attack, Bithumb had announced on Twitter that it was "transferring assets to cold wallets to upgrade its security system."
This was the third time Bithumb had been "visited" by hackers in a year and a half.
The "chain reaction" severely undermined market confidence. Subsequently, the South Korean Ministry of Science and Technology conducted security reviews of 21 domestic exchanges, revealing that only 7 passed all 85 checks, while the remaining 14 were "at risk of exposure to hacker attacks at any time," with 12 having serious vulnerabilities in cold wallet management.
- 2019: Upbit's 342,000 ETH Stolen
On November 27, 2019, South Korea's largest exchange, Upbit, experienced the largest single theft in the country's history at that time.
Hackers took advantage of a gap in the exchange's wallet organization to transfer 342,000 ETH in a single transaction. They did not immediately dump the assets but instead used "peel chain" technology to break the funds into numerous small transactions, transferring them layer by layer until they flowed into dozens of non-KYC exchanges and mixers.
Investigations showed that 57% of the stolen ETH was exchanged for Bitcoin at a discount of 2.5% below market price at suspected North Korean-operated exchanges, while the remaining 43% was laundered through 51 exchanges in 13 countries.
It wasn't until five years later, in November 2024, that South Korean police officially confirmed that the case was carried out by the North Korean hacker organizations Lazarus Group and Andariel. Investigators identified the attackers through IP tracking, fund flow analysis, and the appearance of the North Korean-specific term "흘한 일" (meaning "not important") in the attack code.
South Korean authorities collaborated with the FBI to trace the assets, and after four years of legal proceedings, they ultimately recovered 4.8 bitcoins (about 600 million Korean won) from a Swiss exchange, which were returned to Upbit in October 2024.
However, compared to the total amount stolen, this recovery is almost negligible.
- 2023: The GDAC Incident
On April 9, 2023, the mid-sized exchange GDAC was attacked, resulting in a loss of approximately 13 million USD—accounting for 23% of its total managed assets.
The stolen assets included about 61 BTC, 350 ETH, 10 million WEMIX tokens, and 220,000 USDT. The hackers controlled GDAC's hot wallet and quickly laundered part of the funds through the Tornado Cash mixer.
- 2025: On the Same Day Six Years Later, Upbit Falls Again
On the same day six years ago (November 27), Upbit lost 342,000 ETH.
History repeated itself. At 4:42 AM, Upbit's Solana hot wallet experienced abnormal fund outflows, with approximately 54 billion Korean won (36.8 million USD) transferred to unknown addresses.
After the 2019 Upbit incident, South Korea officially implemented the Specific Financial Information Act (SFIA) in 2020, requiring all exchanges to obtain ISMS (Information Security Management System) certification and open real-name accounts at banks. Many small exchanges that could not meet the standards were forced to exit the market, and the industry landscape shrank from "hundreds of exchanges in chaos" to a few dominant giants. Upbit, backed by Kakao's resources and certification, once held over 80% market share.
However, six years of compliance building did not spare Upbit from this disaster.
As of the time of writing, Upbit has announced that it will fully compensate users for their losses using its own assets, but detailed information about the identity of the attackers and the specific attack path has not yet been disclosed by the official sources.
Kimchi Premium, State-Level Hackers, and Nuclear Weapons
The frequent hacks of South Korean exchanges are not merely a result of technical incompetence but a tragic reflection of geopolitical realities.
In a highly centralized market with extremely high liquidity premiums and a unique geographical position, South Korean exchanges are essentially using the security budget of a commercial company to combat a state-level hacker force with nuclear deterrent ambitions.
This force has a name: Lazarus Group.
Lazarus is affiliated with North Korea's Reconnaissance General Bureau (RGB) and is one of Pyongyang's most elite cyber warfare units.
Before shifting to cryptocurrency, they had already proven their capabilities in traditional finance.
In 2014, they hacked Sony Pictures, in 2016, they stole 81 million USD from the Bangladesh Central Bank, and in 2017, they orchestrated the WannaCry ransomware attack that affected 150 countries.
Since 2017, Lazarus has turned its sights to the cryptocurrency sector. The reason is simple:
Compared to traditional banks, cryptocurrency exchanges have looser regulations and varying security standards, and once successful, funds can be quickly transferred across borders on-chain, bypassing the international sanctions system.
And South Korea happens to be the most ideal hunting ground.
First, South Korea is a natural target for geopolitical confrontation. For North Korea, attacking South Korean companies not only allows for financial gain but also creates chaos in the "enemy country," achieving two goals at once.
Second, behind the kimchi premium lies a lucrative pool of funds. South Korean retail investors are renowned for their enthusiasm for cryptocurrencies, and the essence of the premium is supply and demand imbalance, with a large influx of Korean won chasing limited crypto assets.
This means that the hot wallets of South Korean exchanges hold liquidity that far exceeds that of other markets. For hackers, this is a gold mine.
Third, there is a language advantage. The attacks by Lazarus are not solely reliant on technical brute force. They excel in social engineering, such as fabricating job postings, sending phishing emails, and impersonating customer service to extract verification codes.
With North and South Korea sharing the same language and culture, there are zero language barriers, significantly increasing the success rate of targeted phishing attacks against South Korean employees and users.
Where does the stolen money go? This may be the most intriguing part of the story.
According to United Nations reports and tracking by several blockchain analysis companies, the cryptocurrency stolen by Lazarus ultimately flows into North Korea's nuclear weapons and ballistic missile programs.
Previously, Reuters cited a confidential UN report stating that North Korea uses the funds from stolen cryptocurrencies to help finance its missile development programs.
In May 2023, White House Deputy National Security Advisor Anne Neuberger publicly stated that about 50% of the funding for North Korea's missile program comes from cyberattacks and cryptocurrency theft; this proportion has increased from the "about one-third" she provided in July 2022.
In other words, every time a South Korean exchange is hacked, it may indirectly contribute to the nuclear warheads across the 38th parallel.
At the same time, the money laundering pathways have become quite sophisticated: the stolen assets are first split into numerous small transactions using "peel chain" technology, then obfuscated through mixers (such as Tornado Cash, Sinbad), exchanged for Bitcoin at a discount through North Korean-operated exchanges, and finally converted into fiat currency through underground channels in China and Russia.
The 342,000 ETH stolen from Upbit in 2019 was officially investigated by the South Korean police, revealing that 57% was exchanged for Bitcoin at a price 2.5% below market value at three exchanges suspected to be operated by North Korea, while the remaining 43% was laundered through 51 exchanges in 13 countries. The entire process took years, and to this day, the vast majority of the funds have not been recovered.
This may be the fundamental dilemma faced by South Korean exchanges:
On one side is Lazarus, a hacker group supported by national resources, capable of operating 24/7 and investing without regard for costs; on the other side are commercial companies like Upbit and Bithumb.
Even the top exchanges that have passed scrutiny still find themselves powerless against state-level, high-sustainability threat attacks.
Not Just a South Korean Problem
Eight years, over ten attacks, and approximately 200 million USD in losses—if we only view this as local news for the South Korean cryptocurrency industry, we miss the bigger picture.
The plight of South Korean exchanges is a rehearsal for the cryptocurrency industry’s game against state-level adversaries.
North Korea is the most visible player, but it is not the only one. Certain high-threat hacking organizations in Russia have been linked to multiple DeFi attacks, Iranian hackers have targeted Israeli cryptocurrency companies, and North Korea has long expanded the battlefield from South Korea to the global stage, with victims across continents, such as the 1.5 billion USD attack on Bybit in 2025 and the 625 million USD attack on Ronin in 2022.
The cryptocurrency industry has a structural contradiction: everything must pass through centralized entry points.
No matter how secure the blockchain itself is, users' assets ultimately flow through exchanges, cross-chain bridges, and hot wallets—these "choke points."
These nodes concentrate vast amounts of capital but are operated by commercial companies with limited budgets; for state-level hackers, this is a highly efficient hunting ground.
The resources of both offense and defense are fundamentally unequal; Lazarus can fail a hundred times, while exchanges can only afford to fail once.
The kimchi premium will continue to attract global arbitrageurs and local retail investors, and Lazarus will not stop just because they have been exposed. The battle between South Korean exchanges and state-level hackers is far from over.
One can only hope that the next time there is a theft, it is not your own money.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
