Upbit suspended deposits and withdrawals after 44.5 billion won was moved from a hot wallet to an unauthorized address, with initial conversion estimates ranging from about $30 million to $37 million as asset baskets and rates were reconciled. Upbit initiated internal forensics while Korean regulators and law enforcement launched on-site inspections and treated the incident as a hot wallet compromise rather than a cold storage failure. Investigators emphasized possible credential theft or administrator impersonation and reported no presented evidence of a direct server exploit. Local media and officials identified patterns consistent with past state-linked activity, and early assessments named the North Korea–linked Lazarus Group as the leading suspect. On-chain analytics firms and law enforcement traced the stolen funds and searched for rapid chain swaps, chain hopping, use of mixers, and transfers to sanctioned entities while working to flag addresses and disrupt cash-out paths at compliant venues. Regulators inspected wallet segregation practices, access controls, logging and monitoring, and incident reporting processes. Analysts and compliance teams recommended minimizing hot wallet exposure through strict withdrawal ceilings and staged approvals, protecting privileged accounts with phishing-resistant authentication and just-in-time access, expanding continuous monitoring with automated quarantine triggers for suspicious withdrawals, and rehearsing withdrawal-halt incident response playbooks. Authorities and industry participants identified next steps to include official attribution updates from Korean law enforcement and regulators, timelines and staged plans for restoring deposits and withdrawals, publication of technical indicators of compromise, and potential supervisory guidance or enforcement actions that could redefine security baselines for exchanges.
Source: https://theweb3.news/crypto/upbit-hack-lazarus-probe/