According to South Korean investigators, the Upbit cryptocurrency heist that resulted in the theft of $50 million worth of Ethereum in 2019 was carried out by North Korean hacker groups Lazarus and Andariel, which are related to the Reconnaissance General Bureau, the leading intelligence organization within the DPRK.
There are three months left until the 5th anniversary of the attack on Upbit, one of the world's leading crypto exchanges in South Korea.
An amount of 342,000 Ethereum, valued at approximately $147 per ether, was stolen from the exchange's hot wallet during the incident. Taking into account the current exchange rate, the stolen stash would have been worth around 1.47 trillion won today, or about $1.04 billion. A hot wallet, which is constantly connected to the internet as part of its operational function, is more at risk of cyberattacks than cold wallets because of this connection.
To evade detection, hackers frequently use multiple blockchain wallets to store stolen assets, which is a common method they use to obscure a trail of stolen information. It was immediately suspended removals and deposits, the exchange's remaining funds were secured, and users were reassured for their losses that they would receive full compensation from the company.
A recent Upbit hack has highlighted the important role that international collaboration plays in reducing state-sponsored cybercrime in the cryptocurrency sector and addressing the issue at hand. The government, industry leaders, and cybersecurity firms need to get together and establish a global framework for the protection of digital assets and the pursuit of those who seek to harm them.
In the summer of 2018, hackers were successful in infiltrating Upbit's hot wallet and transferred approximately 342,00( ETH (at the time worth 8.5 billion won or around USD 7 million) to a wallet known to them.
In the wake of this breach, the security of centralized exchanges and the protocols they use for protecting the digital assets of their users has been raised immediately as a concern. Despite their convenience for instant transactions, hot wallets are more vulnerable to cyberattacks because they are connected to the Internet.
The incident at Upbit made it apparent how dangerous these storage solutions can be in the long run.
After recognizing the hack and moving the remaining user funds to cold walletsomfine storage solutions that are considerably more difficult to breach, Upbit swiftly responded and immediately acted upon the discovery of the hack. As a result of this proactive action, there were no further losses and a demonstration that the exchange is prepared for situations like this.
Upbit has taken steps to protect its users from further loss as soon as the breach was detected, providing a detailed account of the extent of the loss and the steps being taken to resolve the matter. Users' trust needed to be maintained during the crisis by maintaining transparency.
Several investigative agencies, including the National Intelligence Service (NIS) of South Korea and other intelligence agencies, have confirmed that North Korea has been involved in the attack after an extensive investigation.
It appears that the hackers infiltrated Upbit's systems using sophisticated phishing tactics, social engineering, and advanced malware techniques to compromise its sensitive data.
The Lazarus Group, also known as LG Group, is one of the most infamous cybercrime groups linked to North Korea. With at least ten years of cyber experience, the group has gained notoriety for a wide array of activities, including hacking, data theft, and espionage.
To circumvent international sanctions, it is believed that this group is financing North Korea's nuclear and weapons programs through the activities it performs.
There is a strong suspicion that the breach was caused by North Korea's Lazarus Group, which is notorious for its cyber espionage and financial theft operations. One of the most high-profile attacks in recent months has been the WannaCry ransomware attack in 2017 and the Bangladesh Bank heist in 2016.
The group has been linked to several high-profile hacking attacks.
Five-sevenths (57%) of the stolen Ethereum has been sold at a discount of 2.5% on three exchanges that are run by the North Korean government, with the remainder of the stolen Ethereum being laundered through 51 overseas exchanges of this type. Cryptocurrency exchanges in Switzerland have been storing some of the stolen Ethereum in the form of Bitcoin. 4.8 Bitcoin, valued at nearly 600 million won, were found by the South Korean authorities after four years of legal proceedings.
The Bitcoins were returned to Upbit in October 2024 after a four-year legal procedure.
A copycat crime may be prevented by police withholding details of the North Korean hacking operation's techniques because of the risk of copycats, but police emphasize that the operation was unprecedented in scope and sophistication.
At the same time, the Financial Intelligence Unit (FIU) of the Republic of Korea is investigating Upbit's operations in light of issues related to possible non-compliance with KYC regulations.
Reports suggest that there were 500.000 to 600,000 cases in which the exchange failed to verify customer identity due to problems with identification documents and incomplete information provided by the customer. If regulators discover these lapses, they may take action against the company.
As a result of years of experience and ongoing research, the Lazarus Group and similar outfits have refined their method to target prominent crypto platforms across the globe.
An instance of the group's involvement was linked to the hacking of the Indian exchange WazirX, in which $230 million had been stolen.
Even though international sanctions have been placed on the North Korean government and efforts have been made to shut down the country's operations, there is a persistent effort to exploit crypto vulnerabilities through various techniques.
The accounts of these groups have been estimated to have stolen over $7 billion in crypto over the past seven years, a great deal of which was used to fund North Korea's nuclear weapons program.
.ANdariel is another group of cybercriminals operating under the aegis of North Korea's Reconnaissance General Bureau that operates as a subdivision of the notorious Lazarus Group, known for its high level of sophistication.
In addition to financial cyberattacks, Andariel is also known for hacking banks, ATMs, cryptocurrency platforms, and other online platforms.
The group's operations in North Korea are considered a major part of the country’s illicit revenue generation efforts, with most of the activities focused on circumventing international sanctions.
Using advanced malware and hacking techniques, the group has penetrated networks and stolen financial assets.
In contrast to the Lazarus Group, which is recognized for its large-scale cyber campaigns often tied to political agendas, Andariel follows a more precise and profit-driven approach.
Rather than pursuing widespread disruption or ideological objectives, Andariel focuses on carefully selected targets to maximize financial rewards. Their operations are characterized by calculated tactics designed to exploit specific weaknesses for economic gain. This differentiation underscores the varied methodologies employed by cyber actors, even within the same network, each aligning their activities to distinct priorities and outcomes.
