Upbit hack
In November 2019, 342,000 ETH (~$41.5M at the time) was stolen from South Korean exchange Upbit. In November 2024 South Korea's National Police Agency officially attributed the theft to North Korea's Lazarus and Andariel groups — its first such attribution of an exchange hack.
Also known as: Upbit hack, Upbit Ethereum theft
On attribution: The North Korea attribution is that of South Korea's National Police Agency (announced Nov 2024), supported by the FBI; cyber-attribution is rarely 100% certain.
Summary
On November 27, 2019, about 342,000 ether — worth roughly 58 billion won (~$41.5 million) at the time — was abnormally transferred out of the South Korean cryptocurrency exchange Upbit. [1][2]
Attribution
In November 2024, South Korea's National Police Agency announced that North Korea's state-sponsored Lazarus and Andariel groups (both under the Reconnaissance General Bureau) carried out the theft. Police said they reached the conclusion using North Korean IP addresses, cryptocurrency flow analysis, traces of North Korean vocabulary, and material obtained with the FBI's help. It was the first time a South Korean agency officially attributed a crypto-exchange hack to North Korea. [1][2]
Laundering and partial recovery
Police said about 57% of the stolen ether was swapped for bitcoin at a slight discount through three exchange sites believed to have been set up by North Korea, with the remainder distributed across 51 overseas exchanges. After a multi-year legal process, roughly 4.8 BTC was recovered from a Swiss exchange and returned to Upbit. [1][2]
Bracketed numbers refer to the numbered sources listed below.
People & entities involved
- Lazarus GroupAttributed actorOrganizations & groupsThe most widely used name for North Korea's state-sponsored hacking apparatus, run under its Reconnaissance General Bureau. Blamed for the Sony hack, the Bangladesh Bank SWIFT heist, WannaCry, and — since ~2017 — many of the largest crypto thefts ever. Chainalysis puts DPRK's cumulative crypto haul near $6.75B, used to fund the regime's weapons programs.
- AndarielAttributed actorOrganizations & groupsA North Korea-linked RGB unit (Lazarus umbrella) that blends cyber-espionage with revenue generation. The U.S. sanctioned it in 2019 and, in 2024, indicted member Rim Jong Hyok for deploying Maui ransomware against U.S. hospitals and laundering the proceeds to fund further espionage.
Sources (2)
- S. Korea confirms N. Korea stole 58 bln won worth of cryptocurrency in 2019 — Yonhap News Agency
- North Korea confirmed perpetrator of 2019 Upbit crypto theft — Korea JoongAng Daily
See also
- Loci (LOCIcoin)TokensA 2017–2018 ICO for 'LOCIcoin' tied to the InnVenn IP-search platform. The SEC charged Loci and CEO John Wise with fraud for raising $7.6M on false claims about revenue, headcount, and user base; Wise also misused investor funds. Settled with a $7.6M penalty and an officer/director bar.
- Blockchain Terminal (BCT)TokensA 2017–2018 ICO (BCT tokens, ~$30M) for a 'Blockchain Terminal' — a Bloomberg-style crypto trading terminal. The SEC and DOJ said convicted ex-hedge-funder Boaz Manor secretly ran it under a fake identity ('Shaun MacDonald'), using associate Edith Pardo as a front, and lied about the product's adoption.
- Crowd Machine (CMCT)Tokens
This page was last updated on Jun 8, 2026. View revision history.