In a chilling déjà-vu attack that’s rocking South Korea’s crypto fortress, the infamous North Korean state-sponsored Lazarus Group is the prime suspect behind the $32 million hot-wallet heist that hit Upbit on November 27, 2025, with on-chain forensics already tracing the stolen funds through the same laundering playbook used in the $625M Ronin bridge exploit and the $100M Harmony attack.
The breach, confirmed at 04:42 KST, drained 15 different Solana-based tokens including BONK, MEW, Moodeng, TRUMP, JUP, RAY, PYTH, and ORCA, plus smaller amounts of RNDR and USDC. Within minutes, $8.2 million worth of LAYER tokens were frozen on-chain after Solana developers and exchanges activated emergency blacklists. Yet the remaining ~$24 million was rapidly funneled through cross-chain bridges into Ethereum, swapped into ETH, and scattered across 200+ fresh wallets, classic Lazarus TTPs according to blockchain intel firms Elliptic and Chainalysis.
South Korean authorities and the U.S. Treasury’s OFAC are treating this as a national-security incident. A joint statement from Upbit and Dunamu (Upbit’s parent) promised full reimbursement from corporate funds, with CEO Lee Sirgoo vowing “zero damage to users.” Trading, deposits, and withdrawals remain suspended across the entire platform as auditors comb every hot wallet.
The smoking gun? The attacker’s Ethereum mixer cluster matches addresses sanctioned in 2022 for laundering Axie Infinity’s $625M, while the timing aligns with Pyongyang’s desperate need for hard currency amid new UN sanctions. ZachXBT dropped the bombshell thread at dawn: “Same infrastructure, same jump chains, same sleeper wallets activated after 18 months. This is 100% Lazarus.”
Market impact was sharp but short-lived: Solana dipped 4% before rebounding, BONK and other raided memecoins bled 8–12%, yet BTC and ETH barely blinked. Upbit’s native token DUN didn’t even exist to dump, sparing a second wave of panic.
For the industry, it’s a grim milestone: 2025 hack damages now exceed $2.8 billion, with state actors responsible for over 60%. The silver lining? Response times are shrinking, $8M+ frozen in under three hours proves coordination is improving.
As one Korean trader raged on X, “We literally fund their nukes every time we leave coins in hot wallets.” Lazarus just cashed another paycheck, and the crypto world is once again reminded: in this game, nation-states play for keeps.
Want more breaking stories like this every single day?
Head straight to the homepage of www.Token10x.com and www.Token10x.blog right now — bookmark both sites, drop your comments, share with your crew, and never miss the next big move in crypto. See you there! 🚀