Kimchi Premium vs. State Hackers: Inside the North–South Korea Cyber War on Korean Exchanges

The market rebounded, but another exchange has fallen victim to a hack.

On November 27, Upbit, South Korea's largest cryptocurrency exchange, confirmed a security breach resulting in losses of approximately 54 billion KRW (around $36.8 million USD).

At 4:42 AM KST on November 27, while most Korean traders were asleep, Upbit's Solana hot wallet began experiencing abnormal large-scale outflows.

According security firms, the attacker did not target a single asset. Instead, they executed a complete sweep of Upbit's holdings on the Solana blockchain. The stolen assets included core tokens like SOL and the stablecoin USDC, as well as nearly all major SPL tokens in the Solana ecosystem.

Partial List of Stolen Assets:

• DeFi and Infrastructure: JUP (Jupiter), RAY (Raydium), PYTH (Pyth Network), JTO (Jito), RENDER, IO, and others.

• Meme and Community Tokens: BONK, WIF, MOODENG, PENGU, MEW, TRUMP, and others.

• Other Projects: ACS, DRIFT, ZETA, SONIC, and more.

The wide range of tokens drained strongly suggests the attacker likely obtained the private key to Upbit's Solana hot wallet or gained control of the signing server, enabling them to authorize transfers for every SPL token stored in the wallet.

For Upbit, which controls roughly 80% of the South Korean market and holds the highest security certification from the Korea Internet and Security Agency (KISA), this incident marks a significant security failure.

However, this is not the first time a Korean exchange has been hacked. A review of the past eight years reveals that South Korea's crypto market has been repeatedly targeted by hackers, particularly groups linked to North Korea.

South Korea's crypto market is not only one of the world's most speculative and retail-driven markets, but has also become one of the most convenient targets for North Korean hacking groups.

Eight Years of Cyber Warfare Between North and South Korea

From early brute-force attacks to sophisticated social engineering tactics, the methods have continuously evolved, and the list of targeted Korean exchanges has grown in parallel.

Cumulative Estimated Losses: Approximately $200 million USD based on prices at the time of each incident. Calculated at current market prices, the losses exceed $1.2 billion. The 342,000 ETH stolen from Upbit in 2019 alone is now worth over $1 billion.

2017: The Wild West Era, When Hackers Targeted Employee Computers

The year 2017 marked the beginning of the crypto bull market and the start of a nightmare for South Korean exchanges.

That year, Bithumb, then Korea's largest exchange, became the first major victim. In June, attackers infiltrated a Bithumb employee's personal computer, stealing the personal information of approximately 31,000 users. They then used this stolen data to launch targeted phishing attacks, ultimately stealing around $32 million USD worth of assets.

The post-incident investigation revealed shocking details: the employee's computer contained unencrypted customer data, and the company had not even installed basic security update software.

This exposed the extremely fragile state of security management at Korean exchanges during that period. Basic practices, such as not storing customer data on personal devices, had not yet been established.

Even more significant was the downfall of mid-sized exchange Youbit. The platform suffered two devastating attacks within a single year. In April, it lost nearly 4,000 BTC (approximately $5 million USD), and in December, another 17% of its assets were stolen. Unable to recover, Youbit declared bankruptcy. Users were only permitted to withdraw 75% of their balances, while the remaining portion was tied up in a lengthy bankruptcy process.

Following the Youbit incident, the Korea Internet and Security Agency (KISA) publicly accused North Korea of orchestrating the attack for the first time. This sent a clear signal to the market: exchanges were no longer dealing with ordinary cybercriminals. They were facing state-backed hacking groups with geopolitical motives.

2018: The Hot Wallet Heist Wave

June 2018 delivered a series of devastating blows to South Korea's crypto market.

On June 10, mid-sized exchange Coinrail was attacked, losing over $40 million USD. Unlike earlier incidents, hackers primarily targeted popular ICO tokens like NPXS from Pundi X, rather than Bitcoin or Ethereum. After the news broke, Bitcoin's price plunged over 10%, and more than $40 billion USD in total crypto market value evaporated within two days.

Just ten days later, leading exchange Bithumb was hit. Its hot wallet was drained of approximately $31 million USD worth of assets, including XRP. Ironically, days before the attack, Bithumb had announced on Twitter that it was "moving assets to cold storage to upgrade security."

This was Bithumb's third hack in 18 months.

The consecutive failures shattered market confidence. The Ministry of Science and ICT responded by conducting security audits on 21 domestic exchanges. The results were damning: only 7 exchanges passed all 85 security checks, while the remaining 14 were deemed "at constant risk of hacking." Among them, 12 exchanges had serious vulnerabilities in their cold wallet management.

2019: Upbit Loses 342,000 ETH

On November 27, 2019, Upbit, South Korea's largest exchange, suffered the country's biggest single crypto theft to date.

Hackers exploited a brief window during Upbit's internal wallet rebalancing and transferred 342,000 ETH in a single transaction. Instead of selling immediately, they used a "peel chain" technique, breaking the funds into countless small transactions and moving them through multiple layers before routing them to dozens of non-KYC exchanges and mixers.

Investigators later revealed that 57% of the stolen ETH was converted into Bitcoin at a 2.5% discount on an exchange believed to be North Korean-operated. The remaining 43% was laundered through 51 exchanges across 13 countries.

Five years later, in November 2024, South Korean police officially confirmed the attack was carried out by North Korean hacking groups Lazarus Group and Andariel. Investigators identified the attackers through IP tracing, fund-flow analysis, and a North Korea-specific phrase, "흘한 일" (meaning "not important"), embedded in the attack code.

South Korean authorities worked with the U.S. FBI to trace the stolen assets. After four years of legal proceedings, they recovered 4.8 BTC (approximately 600 million KRW) from a Swiss exchange and returned it to Upbit in October 2024.

Compared to the total amount stolen, this recovery was negligible.

2023: The GDAC Incident

On April 9, 2023, mid-sized exchange GDAC was attacked, losing approximately $13 million USD, which represented 23% of all assets under its custody.

The stolen funds included about 61 BTC, 350 ETH, 10 million WEMIX tokens, and 220,000 USDT. The attacker gained control of GDAC's hot wallet and quickly laundered part of the funds through the Tornado Cash mixer.

2025: Six Years Later, History Repeats

Six years ago, on November 27, Upbit lost 342,000 ETH.

History has repeated itself. At 4:42 AM, Upbit's Solana hot wallet showed abnormal outflows, and assets worth approximately 54 billion KRW ($36.8 million USD) were transferred to an unknown address.

After the 2019 Upbit incident, South Korea officially implemented the "Act on Reporting and Using Specified Financial Transaction Information" (commonly known as the Special Financial Information Act) in 2020. The law required all exchanges to obtain ISMS (Information Security Management System) certification and operate verified real-name bank accounts. Many smaller exchanges that failed to meet these requirements were forced out of the market, reducing the landscape from hundreds of competing platforms to a handful of dominant players. With backing from the Kakao ecosystem and successful certification, Upbit's market share exceeded 80%.

Six years of compliance and regulatory tightening were not enough to prevent this attack.

As of this writing, Upbit has announced it will fully compensate users with its own funds. However, details about the attacker and the exact method of intrusion have not been disclosed.

Kimchi Premium, State-Backed Hackers, and Nuclear Ambitions

The frequent hacks on South Korean exchanges are not simply the result of technical incompetence. They are a geopolitical tragedy playing out in the crypto market.

In a highly centralized market with significant liquidity premiums and a unique geopolitical position, South Korean exchanges are essentially relying on the security budget of a private company to defend against a state-sponsored hacking force driven by nuclear deterrence objectives.

This force has a name: Lazarus Group.

Lazarus operates under North Korea's Reconnaissance General Bureau (RGB) and is one of Pyongyang's most elite cyber warfare units. Before targeting cryptocurrency, they had already demonstrated their capabilities in traditional financial systems.

• In 2014, they breached Sony Pictures.

• In 2016, they stole $81 million USD from Bangladesh's central bank.

• In 2017, they orchestrated the WannaCry ransomware attack that affected over 150 countries.

Starting in 2017, Lazarus shifted its focus to cryptocurrency. The reason was straightforward: compared to traditional banks, crypto exchanges have weaker regulation, uneven security standards, and once breached, funds can be moved across borders instantly through on-chain transfers, bypassing international sanctions.

South Korea was the ideal hunting ground.

First, South Korea is a natural geopolitical target. For North Korea, attacking South Korean companies not only generates funds but also disrupts an "enemy state," achieving two objectives at once.

Second, behind the Kimchi Premium lies a massive pool of capital. South Korean retail investors are famously enthusiastic about cryptocurrencies, and the premium reflects a fundamental imbalance between demand and supply.

This means the hot wallets of Korean exchanges often hold far more liquidity than those in most other markets. For hackers, this is a gold mine.

Third, language gives Lazarus a major advantage. Their attacks are not limited to technical exploits. They excel at social engineering tactics like creating fake job postings, sending phishing emails, or impersonating customer support to obtain verification codes.

Since North and South Koreans share the same language and cultural background, there is no linguistic barrier. This dramatically increases the success rate of targeted phishing attacks against Korean employees and users.

Where Does the Stolen Money Go?

This is perhaps the most striking part of the story.

According to UN reports and investigations by multiple blockchain analytics firms, the cryptocurrency stolen by Lazarus ultimately flows into North Korea's nuclear weapons and ballistic missile programs.

Reuters previously cited a confidential UN report stating that North Korea uses stolen crypto funds to support its missile development.

In May 2023, U.S. Deputy National Security Advisor Anne Neuberger publicly stated that roughly 50% of North Korea's missile program funding comes from cyberattacks and crypto theft. This was an increase from the "about one third" she mentioned in July 2022.

In other words, every time a South Korean exchange is hacked, it may be indirectly contributing to the construction of nuclear warheads across the DMZ.

At the same time, North Korea's laundering infrastructure has become highly sophisticated. Stolen assets are first broken down into countless small transactions using the "peel chain" technique, then funneled through mixers like Tornado Cash or Sinbad to obscure their origin. After that, they are exchanged at a discount for Bitcoin on North Korean-controlled exchanges, and finally converted into fiat currency through underground networks in China and Russia.

For the 342,000 ETH stolen from Upbit in 2019, the official investigation released by South Korean police showed the following: 57% was converted into Bitcoin at a 2.5% discount on three exchanges believed to be run by North Korea, while the remaining 43% was laundered through 51 exchanges across 13 different countries. The entire process took years, and most of the funds have still not been recovered.

This illustrates the core dilemma faced by South Korean exchanges: on one side is Lazarus, a hacking unit backed by state-level resources, capable of operating around the clock with unlimited budget and no concern for cost. On the other side are commercial companies like Upbit and Bithumb.

Even top-tier exchanges that have passed strict audits struggle to defend themselves against persistent, state-sponsored cyberattacks.

This Is Not Just a South Korean Problem

Eight years, over a dozen major attacks, and roughly $200 million USD in losses. Treating this as merely a local news story about the South Korean crypto industry would miss the much larger picture.

What Korean exchanges have experienced is an early preview of the crypto industry's confrontation with state-level adversaries.

North Korea is the most visible player, but not the only one. Certain high-threat groups in Russia have been linked to multiple DeFi exploits. Iranian hackers have attacked Israeli crypto companies. And North Korea itself has long expanded its battlefield beyond South Korea. Global victims include Bybit's $1.5 billion USD incident in 2025 and the $625 million USD Ronin exploit in 2022, spreading across every major region worldwide.

The crypto industry has a structural contradiction: everything must pass through centralized entry points.

No matter how secure a blockchain may be, user assets ultimately move through exchanges, cross-chain bridges, and hot wallets, which are the chokepoints of the system.

These nodes hold vast amounts of funds, yet they are operated by commercial companies with limited security budgets. For state-backed hacking groups, this creates an extremely efficient hunting ground.

The imbalance in resources is fundamental. Lazarus can afford to fail a hundred times, but an exchange can only fail once.

The Kimchi Premium will continue to attract global arbitrage traders and local retail investors. Lazarus will not stop simply because their operations have been exposed. The battle between South Korean exchanges and state-sponsored hackers is far from over.

All we can hope is that the next victim is not you.

Connect with us:

Fast News: t.me/blockflownews

Insights & Trends: x.com/BlockFlow_News