Lazarus Group Suspected in Upbit Hack Amid $10.3B Dunamu-Naver Merger: A Deep Dive into the Security Breach and Regulatory Fallout

Introduction

In a stunning one-two punch to South Korea's crypto industry, November 27, 2025, saw two seismic events unfold simultaneously. Upbit, the nation's largest cryptocurrency exchange, was hacked for 44.5 billion won ($30 million), while its parent company, Dunamu, announced a landmark $10.3 billion all-stock merger with internet giant Naver. The coincidence has thrown the blockbuster deal into immediate jeopardy and cast a harsh spotlight on the security and regulatory framework governing digital assets in South Korea. Authorities are now investigating the sophisticated attack as a likely operation by North Korea’s Lazarus group, a state-sponsored hacking collective with a long history of targeting crypto exchanges. This incident not only revisits the ghosts of Upbit's 2019 security breach but also complicates Dunamu's existing regulatory troubles, including a record 35.2 billion won fine from the Financial Intelligence Unit (FIU). This article provides an in-depth analysis of the hack's mechanics, the ongoing regulatory crackdown, and the precarious future of the Dunamu-Naver merger.

The Upbit Hack: Sophisticated Multi-Chain Laundering Suspected

The security breach involved an attacker draining funds from Upbit's hot wallets. On-chain data analyzed on November 28 revealed a highly advanced cross-chain money laundering operation. The attacker swapped 24 Solana-based tokens for WSOL (Wrapped Solana) and SOL before scattering the funds across 185 wallets. The movement of assets was rapid and deliberate, with the hacker bridging stolen assets across different blockchain networks and converting them into Ethereum (ETH), accumulating over $1.6 million after the initial theft from Upbit’s hot wallet.

Market observers noted the sophistication of the operation. One analyst tracking the fund’s movements in real time noted that bridging activity via Allbridge created arbitrage gaps due to thin liquidity pools. Each transfer of $200,000 to $300,000 left clear traces for those following blockchain flows closely. This method of using multiple chains and wallets demonstrates an evolution in laundering techniques, making fund tracing and recovery more complex for investigators and analytics firms.

Lazarus Group: The Prime Suspect in a Repeat Offense

South Korean authorities reportedly believe that North Korea’s Lazarus group carried out the Upbit hack. The attack reused a 2019-style hot-wallet breach, with hopping and mixing activity suggesting deliberate laundering. Financial regulators and the Korea Internet & Security Agency (KISA) have visited Dunamu’s headquarters and have launched emergency on-site inspections to assess the damage and security failures.

The involvement of Lazarus would mark a recurring theme for Upbit, which suffered a significant breach in 2019. If confirmed, this attribution could have mixed consequences for Dunamu. While it highlights vulnerabilities, it could also provide a partial exemption from regulatory blame, as the company did after the attack six years ago. However, that previous case produced conclusions only after five years, suggesting a similar protracted timeline for investigations and regulatory judgments could be expected this time.

Dunamu's Pre-Existing Regulatory Quagmire

The hack adds to Dunamu’s ongoing regulatory woes that predate the security incident. Earlier in November, the Financial Intelligence Unit (FIU) under Korea’s Financial Services Commission levied a record 35.2 billion KRW fine ($26.5 million) on the exchange operator for violating requirements on the reporting and use of specified financial transaction information. This is the heaviest penalty the FIU has issued to a crypto firm.

These violations were extensive and systemic, including failing to conduct required customer due diligence 5.3 million times, failing to block 3.3 million unauthorized transactions, and neglecting to report 15 suspicious activities. Beyond the financial penalty, regulators imposed a three-month partial business suspension and reprimanded nine executives. Dunamu has appealed the suspension, with a subsequent trial scheduled for the week following the hack.

A critical consequence of these penalties has been the freezing of Virtual Asset Service Provider (VASP) license renewals for over a year. All major Korean won trading exchanges, including Upbit, now operate on extended licenses while Dunamu awaits the outcome of its case. Under Korean law, the usual three-year renewal process remains on pause until sanctions are resolved, creating an industry-wide impasse that impacts the entire Korean cryptocurrency sector.

The $10.3 Billion Dunamu-Naver Merger: Ambition Meets Adversity

Announced on the same day as the hack, the proposed merger between Dunamu and Naver is a monumental deal valued at $10.3 billion. At a November 27 press conference at Naver headquarters in Seongnam, executives outlined plans for an all-stock transaction that would issue 87.56 million new Naver shares. The strategic goals of the merged entity are threefold.

First, the new company intends to design next-generation financial infrastructure to diversify revenue beyond exchange operations. Second, it plans to address new payment needs by issuing and circulating a KRW-backed stablecoin for local and international settlements. Third, the entity will pursue global expansion by merging Dunamu’s blockchain expertise with Naver’s broad Asian user base, notably through platforms like Line Messenger.

The merged firm hopes to leverage both blockchain and Web3 technology, alongside artificial intelligence. Executives also raised the possibility of seeking a US Nasdaq listing, contingent upon demonstrating sufficient shareholder value.

How the Hack and Regulations Jeopardize the Merger

The timing of the hack introduces severe complications for the merger's prospects. Regulators are now compelled to scrutinize Dunamu’s security measures and internal controls as part of the merger review process. The situation raises significant concerns about whether Naver’s acquisition can proceed smoothly amid active criminal and regulatory probes.

Industry experts note that Dunamu's potential business suspension from the FIU fine may block it from independently entering new ventures. In this context, the merger with Naver could offer a strategic workaround, allowing Dunamu to access new markets and resources despite direct regulatory hurdles. However, if internal failures related to the hack are confirmed, Dunamu could face additional penalties, making its VASP license renewal even more difficult and potentially derailing the merger.

The outcomes of the legal proceedings surrounding the FIU fine and the investigations into the hack will be decisive. If Dunamu’s case for VASP license renewal is resolved favorably, reviews for all platforms could resume, potentially ending the logjam that has stalled the industry for over a year.

Conclusion: A Pivotal Moment for South Korea's Crypto Landscape

The simultaneous occurrence of the Upbit hack and the Dunamu-Naver merger announcement represents a critical inflection point for South Korea's cryptocurrency market. The suspected involvement of the Lazarus group underscores the persistent and evolving threat posed by sophisticated state-level actors, demanding ever-higher security standards from exchanges.

For market participants and observers, several key developments warrant close monitoring. The progression of both the FIU's case against Dunamu and the investigation into the hack will directly influence regulatory stability and the fate of VASP licenses industry-wide. Furthermore, whether Naver proceeds with the merger—and under what revised terms—will signal major tech conglomerates' appetite for entering the crypto space amid significant turbulence.

This episode serves as a stark reminder that in the rapidly evolving world of digital assets, robust security protocols and transparent regulatory compliance are not merely operational details but foundational necessities for growth and stability. The ability of South Korea's leading crypto firms to navigate this dual crisis will likely set the tone for the industry's trajectory in Asia for years to come.

Disclaimer: In adherence to rigorous journalistic standards, this article is based on publicly available information as reported. Readers are advised to verify facts independently and consult with a professional before making any decisions based on this content.