North Korean Hacker Group Stealed 58 Billion Won in Ethereum from Upbit 5 Years Ago

The mastermind behind the 58 billion won Ethereum (ETH) theft incident that occurred at Upbit five years ago has been confirmed to be a North Korean.

On the 21st, the National Police Agency's National Investigation Headquarters revealed that the Upbit hacking incident that occurred in November 2019 was carried out by the hacker group 'Lazarus' and 'Andariel' belonging to the North Korean Reconnaissance General Bureau. The stolen 342,000 ETH was worth 58 billion won at the time, and is currently worth 1.47 trillion won.



The police explained that they confirmed the North Korean IP address, analyzed the flow of virtual asset transactions, and found traces of the use of North Korean vocabulary, and secured additional evidence through cooperation with the U.S. Federal Bureau of Investigation (FBI). In particular, the expression "a trivial matter (an unimportant matter)" in North Korean was found on the computer used for the hacking.

According to the investigation results, 57% of the stolen ETH was exchanged for BTC at a 2.5% lower price than the market price through 3 virtual asset exchange sites presumed to have been opened by North Korea. The remaining assets were dispersed to 51 overseas exchanges for money laundering.

The police discovered a portion of the stolen assets at a virtual asset exchange in Switzerland in October 2020, and after 4 years of international cooperation, they recovered about 6 million won worth of 4.8 BTC and returned it to Upbit in October last year.

This investigation result is the first case where a domestic investigative agency has officially confirmed North Korea's virtual asset hacking. However, the police decided not to disclose the specific attack methods in consideration of copycat crimes and recidivism concerns.

Reporter Yeri Do

yeri.do@decenter.kr