Evidence and assessments have strengthened the link to Lazarus, a group previously tied to the 2019 Ethereum theft from Upbit.

Investigative efforts involve multiple regulators—Financial Services Commission, Financial Supervisory Service, Financial Security Institute, and Korea Internet & Security Agency—working under regulatory oversight.

A suspected Lazarus-backed cyber heist hit Upbit, South Korea’s largest crypto exchange, with about 45 billion won ($30.6 million) siphoned from an unauthorized transfer. Guesses point to a repeat of the 2019 attack pattern, including possible administrator account compromise or impersonation rather than a direct server breach.

On-site investigations are underway, with the Ministry of Science and ICT and financial authorities gathering evidence and interviewing the exchange to determine how the breach occurred.

Authorities are investigating 44.5 billion won in assets linked to Solana that were moved to an unauthorized wallet, prompting on-site probes by regulatory and security agencies.

Upbit’s parent Dunamu says it will cooperate fully with investigators as they assess the full scope of the breach and its impact on users and assets.

Dunamu is actively cooperating with authorities to determine the breach’s extent and its implications for users and assets.

Regulators’ scrutiny of Dunamu’s security posture could influence the Dunamu-Naver merger review, with ongoing probes potentially affecting the deal’s timeline.

The revelation of the breach comes as Naver advances its plan to acquire Dunamu, underscoring ongoing vulnerabilities and heightened regulatory oversight in the crypto exchange sector.

Authorities apply FATF-compliant approaches for transaction tracing and anti-money-laundering controls as the investigation progresses.

Experts urge exchanges to continually upgrade security protocols, educate users on security, and tighten controls to prevent administrator abuse and unauthorized transfers.

Analysts note the timing of the attack may be linked to Naver’s planned acquisition of Dunamu, suggesting opportunistic targeting or hackers’ signaling behavior.