Original Article Title: "Kimchi Premium vs. Nation-State Hacker, Inter-Korean Shadow Conflict After Multiple Upbit Hacks"

Original Source: Deep Tide TechFlow

The market has rebounded, but the trading platform has been hacked again.

On November 27, South Korea's largest cryptocurrency exchange, Upbit, confirmed a security breach that resulted in the loss of approximately 54 billion South Korean Won (about $36.8 million).

At 04:42 on November 27, Seoul time, while most Korean traders were still asleep, abnormal large-scale fund outflows were detected from Upbit's Solana hot wallet address.

According to on-chain monitoring data from security firms such as Slowmist, the attacker did not use a single-asset transfer method but rather engaged in a "wipeout" style looting of Upbit's assets on the Solana blockchain.

The stolen assets not only included core tokens SOL and stablecoin USDC, but also covered almost all mainstream SPL standard tokens within the Solana ecosystem.

Stolen Asset List (Partial):

· DeFi/Infrastructure: JUP (Jupiter), RAY (Raydium), PYTH (Pyth Network), JTO (Jito), RENDER, IO, etc.

· Meme/Community: BONK, WIF, MOODENG, PENGU, MEW, TRUMP, etc.

· Other Projects: ACS, DRIFT, ZETA, SONIC, etc.

This all-in-one characteristic indicates that the attacker most likely gained access to the private key of Upbit's Solana ecosystem hot wallet or that the signing server was directly compromised, allowing for authorized transfers of all SPL tokens under that wallet.

For Upbit, a giant in the South Korean market with an 80% market share and pride in holding the highest security level certification from the Korea Internet & Security Agency (KISA), this is undoubtedly a painful "breach".

However, this is not the first time a South Korean exchange has been hacked.

Zooming out on the timeline, we can see that the South Korean crypto market has actually been under attack by hackers, especially North Korean hackers, for the past eight years.

The South Korean crypto market is not only the wildest retail investor gambling den globally but also the most convenient "ATM" for North Korean hackers.

Eight Years of Inter-Korea Cyber Battles, a History of Hacks

From early brute-force attacks to later social engineering penetrations, the attack methods have continuously evolved, extending the suffering history of South Korean exchanges.

Aggregate Loss: Approximately $200 million (based on the value at the time of the hack; if calculated at current prices, it exceeds $1.2 billion, of which only the 342,000 ETH stolen from Upbit in 2019 is now worth over $1 billion)

· 2017: Wild West Era, Hackers Target Employee Computers

2017 marked the beginning of the crypto bull market, as well as the start of a nightmare for South Korean exchanges.

That year, South Korea's largest exchange, Bithumb, was the first to fall victim. In June, hackers breached a Bithumb employee's personal computer, stealing personal information from around 31,000 users. They then used this data to launch targeted phishing attacks against users, making off with about $32 million. A subsequent investigation revealed that the employee's computer stored unencrypted customer data, and the company had not even installed basic security update software.

This exposed the rudimentary state of security management at South Korean exchanges at the time, with even the basic common sense rule of "do not store customer data on personal computers" not being followed.

More emblematic was the downfall of the mid-sized exchange Youbit. This exchange suffered two devastating blows within a year: losing nearly 4,000 bitcoins (about $5 million) in April and then being robbed of 17% of its assets in December. Overwhelmed, Youbit declared bankruptcy, with users only able to withdraw 75% of their balances immediately, while the remainder had to wait for a lengthy bankruptcy settlement.

Following the Youbit incident, the Korea Internet & Security Agency (KISA) publicly accused North Korea of being the mastermind behind the attacks for the first time. This also sent a signal to the market:

Today, cryptocurrency exchanges are no longer facing ordinary network thieves, but rather state-sponsored hacker groups with geopolitical motives.

· 2018: The Great Hot Wallet Robbery

In June 2018, the South Korean market witnessed a series of devastating events.

On June 10, the mid-sized exchange Coinrail was attacked, resulting in a loss of over $40 million. Unlike previous attacks, this time the hackers primarily targeted hot ICO tokens of the time (such as Pundi X's NPXS) rather than Bitcoin or Ethereum. Following the news, the price of Bitcoin experienced a short-lived drop of over 10%, causing the entire crypto market to lose over $40 billion in market capitalization within two days.

Just ten days later, South Korea's flagship exchange Bithumb also fell victim, with around $31 million worth of XRP and other tokens stolen from its hot wallet. Ironically, a few days before the attack, Bithumb had announced on Twitter that they were "transferring assets to a cold wallet to upgrade the security system."

This marked the third time Bithumb had been "visited" by hackers in a year and a half.

The consecutive blows significantly undermined market confidence. Following the incidents, South Korea's Ministry of Technology conducted security inspections on 21 domestic exchanges, revealing that only 7 of them passed all 85 checks, while the remaining 14 were deemed "potentially exposed to the risk of hacking at any time," with 12 of them having serious vulnerabilities in cold wallet management.

· 2019: The Theft of 342,000 ETH from Upbit

On November 27, 2019, South Korea's largest exchange, Upbit, experienced the largest single theft in the country's history at that time.

The hackers exploited a gap in the exchange's wallet management to move 342,000 ETH in a single transaction. Instead of immediately dumping the stolen ETH, they employed a "Peel Chain" technique to break down the funds into numerous small transactions, layer by layer, eventually flowing into dozens of non-KYC exchanges and mixers.

An investigation revealed that 57% of the stolen ETH was exchanged at a less than 2.5% discount compared to market price on platforms suspected to be operated by North Korea, while the remaining 43% was laundered through 51 exchanges in 13 countries.

It wasn't until November 2024, five years later, that South Korean authorities officially confirmed the involvement of North Korean hacker groups Lazarus Group and Andariel in the heist. Investigators identified the attackers through IP tracking, fund flow analysis, and the appearance of a North Korean-specific term, "흘한 일" (meaning "unimportant"), in the attack code.

The South Korean authorities collaborated with the U.S. FBI to trace assets, going through a four-year legal process. They finally recovered 4.8 bitcoins (approximately 600 million KRW) from a Swiss exchange and returned them to Upbit in October 2024.

However, compared to the total amount stolen, this recovery is almost negligible.

· 2023: GDAC Incident

On April 9, 2023, the mid-sized exchange GDAC was attacked, losing about $13 million, which accounted for 23% of its total assets under custody.

The stolen assets included around 61 BTC, 350 ETH, 10 million WEMIX tokens, and 220,000 USDT. The hacker took control of GDAC's hot wallet and quickly laundered some of the funds through the Tornado Cash mixer.

· 2025: Upbit Falls Victim Again on the Same Day, Six Years Later

On the same day six years later (November 27), Upbit suffered a loss of 342,000 ETH.

History repeated itself. At 4:42 in the morning, unusual fund outflows were detected from Upbit's Solana hot wallet, with approximately 54 billion KRW ($36.8 million) of assets being transferred to an unknown address.

Following the Upbit incident in 2019, South Korea officially implemented the Specific Financial Information Act (Special Act). This required all exchanges to obtain ISMS (Information Security Management System) certification and open real-name bank accounts. Many small exchanges that could not meet the requirements were forced to exit the market, leading to a consolidation from a "hundred-school battle" to a few dominant players. With the endorsement and certification from the Kakao group's resources, Upbit's market share once exceeded 80%.

However, even after six years of regulatory development, Upbit could not evade this crisis.

At the time of writing, Upbit has announced that it will fully compensate user losses with its own assets. However, official details about the attacker's identity and the specific attack vector have not been disclosed.

Kimchi Premium, Nation-State Hackers, and Nuclear Weapons

The frequent thefts from South Korean exchanges are not simply due to technical incompetence but a tragic projection of geopolitics.

In a highly centralized market with significant liquidity premiums and a geographically unique position, South Korean exchanges are essentially using a commercial company's security budget to defend against a nation-state hacker group with nuclear deterrence aspirations.

This military unit has a name: Lazarus Group.

Lazarus is affiliated with the Reconnaissance General Bureau (RGB) of North Korea and is one of Pyongyang's most elite cyber warfare forces.

Before turning to cryptocurrency, they had already proven their capabilities in the traditional financial sector.

In 2014, they breached Sony Pictures, in 2016, stole $81 million from the Bangladesh Central Bank, and in 2017, orchestrated the WannaCry ransomware attack affecting 150 countries.

Starting in 2017, Lazarus shifted its focus to the cryptocurrency sector. The reason is simple:

Compared to traditional banks, cryptocurrency exchanges have looser regulations, inconsistent security standards, and once successful, funds can be swiftly moved across borders via the blockchain, bypassing the international sanction system.

And South Korea happens to be the ideal hunting ground.

First, South Korea is a natural target in geopolitical conflicts. For North Korea, attacking South Korean companies not only brings financial gains but also creates chaos in the "enemy country," killing two birds with one stone.

Second, behind the Kimchi Premium is a rich funding source. South Korean retail investors' enthusiasm for cryptocurrency is well-known globally, and the essence of the premium is the imbalance between supply and demand, with a large amount of Korean won flowing in, chasing a limited supply of crypto assets.

This means that in South Korean exchange platforms' hot wallets, liquidity lies far beyond other markets in the long term. For hackers, this is a gold mine.

Third, they have a language advantage. Lazarus's attacks do not rely solely on technical brute force. They excel in social engineering, such as forging job recruitment information, sending phishing emails, and impersonating customer service to obtain verification codes.

With a shared language and culture, there is no language barrier between North and South Korea, significantly boosting the success rate of targeted phishing attacks against South Korean employees and users.

Where did the stolen money go? This may be the most intriguing part of the story.

According to a United Nations report and tracking by multiple blockchain analysis companies, the stolen cryptocurrency by Lazarus ultimately flowed into North Korea's nuclear weapons and ballistic missile program.

Previously, Reuters cited a confidential UN report stating that North Korea used stolen cryptocurrency funds to help finance its missile development programs.

In May 2023, White House Deputy National Security Advisor Anne Neuberger publicly stated that approximately 50% of North Korea's missile program funding comes from cyberattacks and cryptocurrency theft; this percentage has further increased from the "about one-third" she indicated in July 2022.

In other words, every time a South Korean exchange is hacked, it could indirectly contribute to the development of nuclear warheads across the 38th parallel.

At the same time, the money laundering process has become quite sophisticated: the stolen assets are first split into numerous small transactions using "peeling chain" technology, then mixed through mixers (such as Tornado Cash, Sinbad) to obfuscate their source, and subsequently exchanged for Bitcoin at discounted prices through North Korea's self-built exchanges, and finally converted into fiat currency through underground channels in China and Russia.

In 2019, when Upbit was hacked for 342,000 ETH, the South Korean police officially revealed that 57% of the stolen funds were exchanged for Bitcoin at prices 2.5% below market value on three exchanges suspected to be operated by North Korea, while the remaining 43% were laundered through 51 exchanges in 13 countries. The entire process took several years, and the majority of the funds have still not been recovered to this day.

This may be the fundamental dilemma that South Korean exchanges face:

On one side is Lazarus, a hacker group with state backing that can operate 24/7, with unlimited resources and budget; on the other side are commercial companies like Upbit and Bithumb.

Even the top exchanges that have gone through auditing find themselves powerless when facing a nation-state level, persistent threat.

Not Just a South Korean Issue

Eight years, over a dozen attacks, around $200 million in losses—viewing this solely as local news within the South Korean crypto industry would miss the bigger picture.

The experiences of South Korean exchanges are a prelude to the crypto industry's strategic game against nation-state adversaries.

While North Korea is the most prominent player, it is not the only one. Certain high-threat Russian groups have been linked to multiple DeFi attacks, Iranian hackers have targeted Israeli crypto companies, and North Korea has already expanded its battlefield globally, as seen in the $15 billion hit on Bybit in 2025, the $625 million attack on Ronin in 2022, with victims across continents.

The crypto industry faces a structural contradiction, where everything must go through a centralized entry point.

No matter how secure the chain itself is, users' assets ultimately have to flow through "throat" points such as exchanges, cross-chain bridges, and hot wallets.

These nodes control massive funds but are operated by commercially limited companies; for nation-state hackers, this is a highly efficient hunting ground.

The resources of the offensive and defensive sides are fundamentally unequal; Lazarus can fail a hundred times, while an exchange can only fail once.

The Kimchi Premium will continue to attract global arbitrageurs and local retail investors; Lazarus will not stop just because it has been exposed. The battle between South Korean exchanges and nation-state hackers is far from over.

Just hope that the next theft won't be your own money.

Original Article Link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia