South Korea confirms North Korea’s role in 2019 Upbit cryptocurrency theft
South Korea connects Lazarus to Ethereum theft of $1.06B
South Korea announced that North Korean hackers were responsible for stealing cryptocurrency worth 58 billion won (approximately $41.5 million) from the Upbit exchange in 2019.
The National Investigation Bureau of South Korea confirmed the involvement of the North Korean state-sponsored hacker groups Lazarus and Andariel.
Details of the theft and incidents
As a result of the attack in 2019, 342,000 Ethereum tokens were stolen, which at the time were worth 58 billion won, Yonhap reports. Due to the rapid rise in prices, the value of the stolen Ethereum assets is now estimated at 1.47 trillion won (approximately $1.06 billion). This is the first time South Korean investigative authorities have proven a connection between North Korea and a major cryptocurrency hacking incident, corroborating statements previously made within the organization and other developments.
South Korean police revealed North Korea's involvement by tracking IP addresses and cryptocurrency flows, analyzing messages containing North Korean linguistic patterns, and cooperating with the United States Federal Bureau of Investigation (FBI). These methods enabled authorities to establish a clear link to the North Korean regime. To prevent similar incidents or repeat actions, the authorities refrained from disclosing the methods used in extreme cases.
How the stolen funds were transferred and laundered
According to reports, North Korea sold 57% of the stolen Ethereum tokens on three cryptocurrency exchanges believed to be operated by the regime. The tokens were exchanged for investments at a price 2.5% below the market rate. The remaining Ethereum tokens were distributed across 51 foreign exchanges and subsequently laundered to conceal their origins.
In 2020, part of the stolen cryptocurrency was discovered on a Swiss exchange. After four years of proceedings and evidence-sharing with Swiss prosecutors, South Korean police successfully recovered 4.8 discoveries, which were returned to Upbit in October 2024.
Broader consequences
The disclosure indicates the sophisticated cybercriminal potential of North Korea, which has become a crucial income source for the country under sanctions. Experts believe that such actions fund weapons programs and other illicit regimes.
Furthermore, these incidents underscore the need for closer international cooperation to combat the growing threat of state-sponsored cybercrime. The successful return of part of the assets by South Korea also creates a precedent for further tracking and recovery of stolen cryptocurrencies.
Let us recall that earlier, it was reported that the North Korean Lazarus group might be concerned with the DMM Bitcoin hack worth $305 million.
