South Korean authorities have officially confirmed that the 2019 hack of the cryptocurrency exchange Upbit, involving 342,000 Ethereum (then valued at 58 billion won, approximately $41.5 million), was orchestrated by the North Korean hacking groups Lazarus and Andariel.
These groups are affiliated with North Korea’s Reconnaissance General Bureau, known for cybercrimes to fund the regime’s activities. This is the first time a South Korean investigative body has directly attributed such a large-scale cryptocurrency theft to North Korea, despite prior UN and international reports.
The stolen funds, now worth approximately 1.47 trillion won (over $1 billion), were laundered using a sophisticated process. Investigations revealed that 57% of the stolen Ethereum was converted into Bitcoin through North Korean-operated exchanges at discounted rates.
The remaining Ethereum was distributed across 51 international exchanges to further obscure its trail. A portion of the laundered Bitcoin was tracked to a Swiss exchange, where South Korean authorities, working with Swiss prosecutors, managed to recover 4.8 Bitcoin (valued at around 600 million won today) after years of legal efforts.
The police’s findings were based on a detailed combination of blockchain analysis, IP address tracking, and unique traces such as the use of North Korean vocabulary, including the term “Heulhan Il” (meaning “not important”), found in the malware deployed during the attack. This collaboration included support from the FBI, highlighting the global nature of the investigation.
Although the police did not reveal specific details of the hacking method to prevent copycat crimes, this case demonstrates North Korea’s growing reliance on cryptocurrency theft to fund its regime, circumventing international sanctions. Lazarus and Andariel have been involved in multiple high-profile cybercrimes globally, but this incident stands out as one of the largest confirmed thefts tied to the North Korean regime.
The Lazarus Group is a cybercrime organization linked to the North Korean government. Active since at least 2009, the group gained notoriety for its wide-ranging cyber activities, including hacking, espionage, and financial theft. The group’s operations are believed to fund North Korea’s nuclear and weapons programs, circumventing international sanctions.
Lazarus Group first came into the spotlight with major incidents like the Sony Pictures hack in 2014, attributed to its efforts to retaliate against the release of a movie critical of North Korea. It is also tied to the WannaCry ransomware attack in 2017, which affected computers worldwide, encrypting files and demanding payments in Bitcoin.
Using sophisticated phishing, malware, and social engineering tactics, the group has successfully stolen billions of dollars in cryptocurrency. Its techniques often involve crafting custom malware, exploiting security vulnerabilities, and creating fake identities to infiltrate networks.
Andariel is another cybercrime group affiliated with North Korea’s Reconnaissance General Bureau, operating as a subdivision of the notorious Lazarus Group.
Known primarily for financial cyberattacks, Andariel specializes in hacking banks, ATMs, and cryptocurrency platforms. The group’s operations are considered a key part of North Korea’s efforts to generate illicit revenue, with its activities largely focused on bypassing international sanctions.
The group has developed advanced malware and hacking techniques to infiltrate networks and steal financial assets. Unlike Lazarus, which often conducts large-scale attacks with geopolitical motives, Andariel’s operations are more targeted and financially driven.