North Korean hackers strike again! The Lazarus Group steals 30.6 million, and South Korean exchanges suffer for the third time.

The notorious North Korean cybercrime group Lazarus is suspected of orchestrating a major crypto assets attack that resulted in losses of approximately $30.6 million for South Korea's largest cryptocurrency exchange. The exchange operator Dunamu confirmed that assets related to Solana worth 44.5 billion won were transferred to an unauthorized wallet on Thursday, and the company stated it would use its own reserves to fully compensate users.

North Korean Lazarus Group Suspected of $30.6 Million Hacker Attack

(Source: X)

According to reports from the Korean news agency citing government and industry sources, there are signs that this attack may be related to the same organization previously blamed for the intrusion incident attributed to Lazarus, and authorities are preparing to conduct an on-site inspection of the exchange. This organization has previously been linked to Crypto Assets theft activities, aiming to generate revenue for Pyongyang amid ongoing foreign exchange shortages. North Korea is facing severe international sanctions, and traditional foreign exchange acquisition channels are extremely limited, making Crypto Assets theft an important source of funding.

The operator of South Korea's largest crypto exchange, Dunamu, confirmed that on Thursday, assets related to Solana worth 44.5 billion won were transferred to an unauthorized Wallet. The company stated that it would use its own reserves to fully compensate users and quickly halted withdrawals and deposits while initiating an internal investigation. This rapid response and commitment to full compensation show that Dunamu is trying to minimize the damage to user confidence caused by this hacking attack.

Investigators stated that the technology used in this attack is very similar to the incident in 2019, when attackers reportedly stole Ethereum worth 58 billion Korean Won from the same platform. Officials believe that this hacker may have bypassed core infrastructure by impersonating an administrator or infiltrating internal accounts, authorizing withdrawals. This type of internal infiltration is very typical in Lazarus’s attack patterns, indicating that the organization has conducted in-depth research on the target system and has long-term penetration preparations.

Security officials stated that the funds were quickly transferred through wallets associated with other platforms, indicating that someone was attempting to conceal transaction traces using the money laundering methods previously employed by Lazarus. One official stated: “This is their usual tactic, dispersing tokens across multiple networks to break the trace.”

Pump and Dump Organization Typical Attack Patterns

Long-term infiltration: Lurking for months or even years through social engineering or supply chain attacks.

Internal Permission Theft: Impersonating an administrator or invading internal accounts to obtain withdrawal permissions.

Quick Transfer: Rapidly transfer funds to multiple Wallets before being detected.

Cross-chain Money Laundering: Distributing tokens across multiple blockchain networks to break the trace.

Mixing Service: Use mixing protocols like Tornado Cash to further obscure the flow of funds.

Analysts point out that Lazarus has targeted prominent crypto assets platforms multiple times to maximize its influence and exposure, indicating that this attack may have been deliberately planned to capitalize on the public's heightened attention. The news value of the attack on South Korea's largest crypto exchange is extremely high, and this level of exposure could be a way for North Korea to showcase its cyber capabilities to the international community.

Dunamu promises full compensation and halts trading

Dunamu, the operator of South Korea's largest crypto exchange, confirmed that assets related to Solana worth 44.5 billion won (approximately $30.6 million) were transferred to an unauthorized Wallet on Thursday. The company stated it would use its own reserves to fully compensate users and quickly halted withdrawals and deposits while initiating an internal investigation. This commitment to full compensation is uncommon in incidents involving hacks at crypto exchanges, demonstrating Dunamu's financial strength and responsibility towards its users.

Stopping withdrawals and deposits is a standard emergency measure aimed at preventing attackers from further transferring funds or exploiting system vulnerabilities. However, this halt can also cause inconvenience to normal users, who are unable to conduct transactions or withdraw funds. Dunamu needs to strike a balance between security investigations and resuming normal operations; prolonged downtime may lead to user loss to competing platforms.

Full compensation, while protecting user interests, poses a huge financial burden for Dunamu. The loss of $30.6 million, combined with potential costs for security upgrades, regulatory fines, and reputational damage, could result in total costs far exceeding the direct loss amount. This has also sparked discussions regarding the security reserves and insurance mechanisms of exchanges, questioning whether a single exchange can sustain the financial impact of such attacks in the long term.

Blockchain analysts tracked the flow of stolen funds on social media. An unidentified attacker stole funds from several hot Wallets of South Korea's largest crypto exchange and, after waiting for a period, began cross-chain transferring the funds. At some point, the hacker transferred USDC from one chain to another through a bridging method, making the tracking extremely difficult.

Naver's acquisition timing raises questions

Just a day after Naver announced its plan to acquire Dunamu through a stock swap via its financial sector, the exchange experienced a violation incident, which made Naver the focus of national attention. This timing coincidence has sparked various speculations: Is someone trying to sabotage the acquisition? Did insiders leak security vulnerability information? Or is it purely a coincidence?

Naver, as the largest internet company in South Korea, originally saw its acquisition plan for Dunamu as a milestone event for the integration of the crypto industry and traditional tech giants. However, the occurrence of a hacker attack may affect the acquisition valuation and terms negotiation. Naver may demand a reduction in the acquisition price or an increase in security clauses, while Dunamu needs to prove to Naver that it can improve its security measures.

At the same time, South Korea's internet giant Naver's fintech company Naver Financial is preparing to launch a stablecoin Wallet in Busan, which is part of the city's ongoing efforts to build a blockchain-driven local economy. According to reports, Naver has completed the development of the Wallet and is currently conducting final checks, with official launch expected next month. The project is being developed in collaboration with the venture capital firm Hashed and the Busan Digital Asset exchange (BDAN).

This business expansion plan has become even more sensitive following the hacker attack. If Naver wants to establish credibility in the crypto field, it must prove that it can provide stronger security guarantees than the largest crypto exchange in Korea. This incident may prompt Naver to conduct more thorough security reviews and stress tests before launching its stablecoin Wallet.

South Korea may restart sanctions against North Korean hackers

At the beginning of this month, South Korea indicated that following new measures taken by the United States to link North Korea's cryptocurrency theft activities to its weapons program funding, South Korea may reconsider its sanctions approach towards North Korea. South Korean Deputy Foreign Minister Choi Jong-kun stated that Seoul may “reconsider the sanctions measures if truly necessary,” and emphasized that it will closely coordinate with Washington to address North Korea's growing cyber and digital threats.

Kim stated: “If Pyongyang steals Crypto Assets, coordination between South Korea and the United States is crucial, as these Crypto Assets could be used to fund North Korea's nuclear and missile programs, posing a threat to our digital ecosystem.” This statement reveals the geopolitical dimension behind North Korean hacking attacks, which is not only an economic crime but also a national security threat.

According to estimates from the United Nations and the U.S. Department of the Treasury, the total amount of crypto assets stolen by North Korea through hacking has exceeded billions of dollars. These funds are used to evade international sanctions, maintain regime operations, and finance nuclear and missile programs. The Lazarus Group, as North Korea's most elite cyber unit, has targeted global entities, with attacks on both crypto exchanges and traditional financial institutions.

The loss of 30.6 million USD suffered by South Korea's largest crypto exchange is not the largest in the history of North Korean hacking attacks, but the timing of its occurrence after the announcement of Naver's acquisition plan, along with the technical similarities to the 2019 incident, complicates the investigation and attribution of this event. Whether the South Korean government will restart stricter sanctions and how the international community will enhance prevention against North Korean cyber threats will be the focus of future attention.