North Korean Lazarus Group Suspected in ₩44.5 Billion Upbit Hack; Report Warns of Rising AI and Crypto-Targeted Cyberattacks in 2025

North Korean Lazarus Group Suspected in ₩44.5 Billion Upbit Hack; Report Warns of Rising AI and Crypto-Targeted Cyberattacks in 2025: Kim Jisun / 기사승인 : 2025-12-01 04:28:35

North Korean IT hacker. (Image sourced from social media)

[Alpha Biz= Kim Jisun] The Lazarus Group, a North Korean hacking unit under the Reconnaissance General Bureau, has emerged as the leading suspect behind the recent ₩44.5 billion hacking incident at Upbit, South Korea’s largest cryptocurrency exchange. A new analysis indicates that North Korea has intensified its cyber offensives against South Korea over the past year, with warnings that attacks targeting AI, cryptocurrencies, and national infrastructure are expected to escalate in 2025.

According to the cybersecurity industry on the 30th, AhnLab recently released its report titled “2025 Cyber Threat Trends & 2026 Security Outlook.” The report reviewed major Advanced Persistent Threat (APT) activities disclosed between October 2024 and September 2025, noting that North Korean APT groups were the most active, recording 86 incidents, the highest among all countries. China followed with 27 cases, while Russia and India each recorded 18.

Among North Korean APT organizations, Lazarus accounted for 31 cases, while Kimsuky recorded 27. The report added that many APT operations remain undisclosed due to their stealthy nature or government policy, suggesting that the true number of attacks is likely higher.

AhnLab assessed that North Korean APT groups target a wide range of sectors—including politics, diplomacy, finance, and cryptocurrency—with the aim of securing financial gains and intelligence. Lazarus has recently focused on cryptocurrency platforms, the financial sector, IT companies, and defense-related organizations. The group has developed multiple multi-platform malware strains affecting macOS and Linux, featuring capabilities such as clipboard monitoring and the theft of cryptocurrency wallet addresses and credentials.

Kimsuky, another hacking unit under North Korea’s Reconnaissance General Bureau, has repeatedly used spear-phishing tactics involving fake lecture invitations, interview requests, and malicious attachments. The group frequently disguises its origin using Russian domains (mail.ru) and free Korean-language domains. Attacks leveraging ISO disk image files and Hangul (.HWP) documents have been increasingly observed, indicating that everyday work files are being weaponized as infection vectors.

알파경제 Kim Jisun (stockmk2020@alphabiz.co.kr)