TLDR
- Lazarus Group is suspected in the $30M hack of Upbit using multi-chain laundering.
- Hack occurred hours after Dunamu’s $10.3B merger announcement with Naver.
- Dunamu fined $26.5M and faces 3-month suspension for regulatory breaches.
- 185 wallets were used to launder Solana tokens into ETH in a rapid swap.
South Korean authorities suspect North Korea’s Lazarus Group of carrying out a $30 million cryptocurrency theft from Upbit. The attack occurred on November 27 and used advanced cross-chain laundering methods. It coincided with Dunamu, Upbit’s parent company, announcing a $10.3 billion merger with tech firm Naver.
The Financial Intelligence Unit (FIU) and Korea Internet & Security Agency (KISA) launched emergency inspections at Dunamu’s headquarters. Authorities are examining whether internal controls failed. Dunamu paused deposits and withdrawals on Upbit and pledged to fully reimburse affected customers.
Multi-Chain Laundering Points to Lazarus Group
The attacker moved funds quickly across blockchains to avoid detection. On-chain analysis revealed the use of Solana-based tokens, which were converted into Wrapped Solana and SOL. The attacker then dispersed the funds across 185 wallets.
Afterward, stolen assets were bridged to Ethereum and converted into ETH. Over $1.6 million was gained from Upbit’s hot wallet alone. Authorities said the method resembled Lazarus Group’s tactics in a 2019 Upbit hack. That incident also involved hot-wallet exploits and took years to resolve.
A blockchain analyst tracking real-time movements reported that bridging via Allbridge created arbitrage opportunities due to thin liquidity. Transfers were split into smaller amounts of $200,000 to $300,000 to reduce attention, but the activity left visible on-chain traces.
Regulatory Sanctions Heighten Merger Uncertainty
Earlier in November, the FIU imposed a record 35.2 billion KRW ($26.5 million) fine on Dunamu. The exchange operator failed customer due diligence checks over 5 million times and did not block over 3 million unauthorized transactions. It also failed to report 15 suspicious transactions as required.
Nine executives were reprimanded, and the FIU enforced a three-month partial business suspension. Dunamu appealed the ruling, and the legal process is ongoing. As a result, VASP license renewals remain frozen for all major South Korean exchanges.
The renewal freeze has lasted over a year and affects platforms trading in Korean won. Authorities are now reviewing Dunamu’s eligibility for renewal, which may delay or restrict the proposed merger with Naver.
$10.3B Merger Faces Delays Amid Investigations
Dunamu and Naver announced their $10.3 billion all-stock merger on November 27, the same day as the hack. The deal includes issuing 87.56 million new Naver shares and aims to build a next-generation financial infrastructure. This includes launching a KRW-backed stablecoin and expanding into global markets.
Executives said the merged company would integrate blockchain and AI to build international payment systems. Naver’s platform, including Line Messenger, was expected to help scale the business abroad.
However, the breach has added regulatory pressure. Authorities are now reviewing whether Dunamu had adequate security protocols. If internal failures are confirmed, additional sanctions may follow, which could affect both the merger and VASP renewal.
If Lazarus Group’s involvement is officially confirmed, Dunamu may receive exemptions, as in 2019. That case, however, took five years for authorities to close. A similar timeline may apply here, putting the merger’s timing in doubt.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
