According to local media reports, South Korea has confirmed that North Korea was behind the theft of 342,000 Ethereum (ETH) tokens. In 2019, these assets, worth around 58 billion won or $415 million, were stolen from the Upbit cryptocurrency exchange.
The stolen tokens, currently valued at 1.47 trillion won, are one of the largest cryptocurrency heists carried out by North Korea.
North Korea's Involvement Revealed
The domestic news agency Yonhap News reported that the National Police Agency's National Investigation Headquarters announced on November 21 that the North Korean hacking groups Lazarus and Andariel were behind the attack. The two groups are known to be affiliated with North Korea's Reconnaissance General Bureau, a state agency involved in cyber espionage and financial crimes.
Investigators combined digital forensics, including tracing IP addresses and analyzing the flow of the stolen cryptocurrency, to conduct the investigation. Linguistic traces of North Korean vocabulary were also found during the investigation.
"Traces of the North Korean term 'heulhan il' (meaning an unimportant problem) were found on the computers used in the attack at the time," another local Korean media outlet confirmed.
These linguistic footprints and other technical evidence strengthened the suspicion against North Korea. According to the report, the U.S. Federal Bureau of Investigation (FBI) also assisted in the investigation, providing additional evidence linking the attack to North Korea.
After the theft, the perpetrators exchanged 57% of the stolen Ethereum for Bitcoin on three cryptocurrency exchanges believed to be operated by North Korea. These transactions were made at a 2.5% discount from the market value, likely to facilitate a quick sale. The remaining Ethereum was then dispersed across 51 overseas exchanges to obfuscate the origin.
In 2020, some of the stolen cryptocurrency was identified at a Swiss cryptocurrency exchange. After four years of efforts to prove the origin, the Korean authorities recovered around 600 million won worth of 4.8 Bitcoin (BTC), which was returned to Upbit in October 2024.
Will the Same Happen Again?
North Korea's involvement in cryptocurrency crimes is not new. Following a series of reports, authorities have noted a change in tactics. As recently reported by BeInCrypto, hackers associated with the regime are increasingly targeting cryptocurrency firms with more sophisticated methods, such as phishing campaigns and supply chain attacks.
"The campaign we've dubbed 'Hidden Risk' uses emails spreading fake news about crypto trends to deliver a malicious application disguised as a PDF file to infect targets," a recent report was quoted as saying.
These tactical changes underscore the urgency for strengthened cybersecurity measures across the industry. Nevertheless, the confirmation of North Korea's involvement in the 2019 Upbit hack represents an important development.
While the United Nations (UN) and foreign governments have previously accused North Korea of funding weapons programs through cryptocurrency theft, this is the first time South Korean authorities have officially linked the regime to a major cryptocurrency heist. This case highlights the dual vulnerabilities facing the cryptocurrency industry: external threats from state-sponsored hackers and internal risks related to insufficient regulatory compliance.
Regarding the latter, as reported by BeInCrypto, South Korea's Financial Intelligence Unit recently raised concerns about inadequate customer verification systems, particularly flagging over 600,000 potential customer identity (KYC) violations at Upbit.
The discovery of widespread KYC violations at Upbit raises questions about the exchange's efforts to prevent illicit activities. Improved oversight and the implementation of stricter anti-money laundering (AML) measures could help deter future attacks and ensure a safer trading environment for investors.
The exchange also faces an antitrust investigation by the Korea Fair Trade Commission, which is examining the potential abuse of market dominance.
