A suspected Lazarus hack emptied Upbit’s hot wallet for 44.5 billion won on Nov. 27. Dunamu got a 35.2-billion-won FIU fine earlier in November A 10.3-billion-dollar Naver merger, plus KRW stablecoin plans, now fall under state review.
Hacker s drained Upbit’s hot wallet for 44.5 billion won (around 30 million dollars) on November 27. South Korean authorities, therefore, opened a case pointing to Lazarus, a North Korea-linked cyber group.
The methods resemble 2019 Upbit hot wallet compromise patterns, officials said.
As a result, Dunamu, Upbit’s parent firm, faced immediate FIU and KISA inspections.
At the same time, Dunamu froze all deposits and withdrawals on Upbit and started internal security checks. The company then said it is cooperating with analytics firms to trace wallets and freeze assets when possible.
Allbridge Liquidity Gaps Expose Upbit Hack’s Solana–Ethereum Trail
Upbit attackers first swapped 24 Solana ecosystem tokens into WSOL and SOL.
They then scattered assets across 185 wallets. Next, they bridged SOL to Ethereum through Allbridge and swapped into ETH.
After that, funds split into 185 cross-chain addresses and then into more than 185 Ethereum wallets in hours. The attacker finally held over 1.6 million dollars in ETH from one early batch of conversions.
Upbit Hack Arbitrage On Allbridge. Source: Trix on X
On Coinbase, Allbridge tagging data and Ethereum bridge records showed the ETH-bound routes.
Because swaps hit thin pools, 200,000 to 300,000-dollar batches left clear, public traces.
Thus, Solana-to-Ethereum paths via WSOL and wrapped SOL were visible to blockchain trackers.
FIU Slams Dunamu With Record Fine As VASP Renewal Stalls
Dunamu was already struggling with VASP license renewals before the Upbit breach.
Earlier in November, the FIU fined Dunamu 35.2 billion won (about 26.5 million dollars) for compliance violations.
Regulators documented that Dunamu missed mandatory customer due diligence 5.3 million times.
They also reported 3.3 million unblocked unauthorized transactions and 15 unreported suspicious activities. Consequently, the FIU ordered a three-month partial business suspension for Dunamu.
Dunamu then filed a formal appeal against the suspension. A trial for the Dunamu appeal is scheduled next week, FIU officials confirmed.
Since the FIU action, VASP renewals for all major KRW exchanges have been frozen for over a year. Upbit, therefore, continues to operate under an extended license, not a renewed VASP.
Under Korean rules, VASP renewals normally follow a three-year cycle, but the clock cannot restart until Dunamu sanctions clear.
As a result, the FIU and Dunamu dispute caused a market-wide pause impacting VASP licensing and exchange compliance reviews across South Korea.
Dunamu–Naver $10.3B Merger And KRW Stablecoin Plan Face Regulatory Scrutiny
The Upbit compromise reached regulators the same day Dunamu and Naver announced a merger. The 10.3-billion-dollar Dunamu–Naver merger was structured as an all-stock deal, issuing 87.56 million new Naver shares.
At a conference, Dunamu and Naver executives also said they want to launch a KRW-backed stablecoin to meet domestic payment needs. They framed stablecoin issuance under the future entity as part of a wider Asia plan.
They also pointed to Line Messenger as a distribution channel for regional users once the merger closes. However, active probes into Upbit security and Dunamu regulatory breaches, therefore, triggered merger review flags inside South Korean financial oversight divisions.
Regulators are evaluating Upbit internal control logs, Dunamu VASP compliance, Ethereum bridge telemetry, and Solana wallet origination data together.
Thus, the Upbit and Dunamu cases now move in parallel. Additionally, the combined firm’s proposal for a KRW stablecoin will be reviewed against prior FIU findings, Dunamu VASP status, and Ethereum and Solana laundering evidence tied to the Upbit breach.
Regulators Probe Lazarus Links As Upbit VASP Freeze Drags On
South Korean agencies want proof on several points. They want to know if Upbit hot wallet keys were externally breached or internally mishandled.
They are also mapping whether Lazarus wallet clusters on Ethereum and Solana intersect with the 185 wallets used after the Upbit drain.
If confirmed, the Upbit breach may join the historical pattern of Lazarus multi-chain laundering cases.
For example, the earlier Upbit attack took about five years for full closure, showing how such probes unfold slowly. Hence, authorities may reference that timeline while Dunamu appeals FIU sanctions that block VASP licensing renewals.
Dunamu said it will reimburse users for verified losses tied to Upbit. South Korean FIU officials said they will not lift the VASP freeze affecting Upbit and other KRW exchanges until legal decisions on the Dunamu appeal end.
Regulators also said they are coordinating Ethereum and Solana forensics teams to match Upbit wallet signatures to known Lazarus clusters.
Editor at Kriptoworld
Tatevik Avetisyan is an editor at Kriptoworld who covers emerging crypto trends, blockchain innovation, and altcoin developments. She is passionate about breaking down complex stories for a global audience and making digital finance more accessible.
📅 Published: November 28, 2025 • 🕓 Last updated: November 28, 2025
