South Korea has officially confirmed that North Korean hacking groups Lazarus and Andariel were involved in the 2019 Upbit hack, which resulted in the theft of $50 million in cryptocurrency. The country’s Bureau of Investigation announced the news on Nov. 21, confirming details of the cyberattack nearly five years later.
Hackers reportedly targeted the hot wallet of South Korean cryptocurrency exchange Upbit. The attack resulted in the theft of 342,000 Ethereum (ETH), worth $147 per coin, with a total value of $50 million. Today, the value of the stolen Ethereum has exceeded $1 billion, reflecting the rise in cryptocurrency prices.
Investigators confirmed North Korea's involvement by tracking cryptocurrency flows and analyzing IP addresses used during the hack. They also analyzed the language style of the hacking campaign and determined it was consistent with North Korea's communication methods.
South Korean investigators, working with the U.S. Federal Bureau of Investigation (FBI), have bolstered their findings, but despite confirming North Korea's involvement, they have not disclosed specific hacking techniques to prevent copycat crimes.
Further analysis showed that 57% of the stolen Ethereum had been sold through exchanges allegedly controlled by North Korean agents. The remaining funds were scattered across 51 overseas exchanges to obscure their origin, making it difficult to recover the funds.
Upbit faces allegations of KYC violations
In addition to the investigation into the Upbit hack, the exchange is also facing allegations of non-compliance with Know Your Customer (KYC) regulations.
On November 14, the Financial Intelligence Unit under the Financial Services Commission of South Korea discovered 600,000 violations involving the obfuscation of user identity documents.
The Financial Intelligence Unit found that Upbit accepted the documents, making it difficult for authorities to verify customer identities. The violations could result in fines of up to $71,500 per case, posing additional challenges for the exchange.