As ‘Lazarus’, a hacking organization under North Korea’s Reconnaissance General Bureau, was pointed out as the mastermind behind the 44.5 billion won hacking incident that occurred at Upbit, Korea’s largest virtual asset exchange, vigilance against cyber attacks is increasing. It is understood that this organization has carried out at least 31 hacks in the past year, and Upbit hacking is also analyzed to show a similar pattern to their existing methods.
This analysis is based on the ‘2025 Cyber Threat Trends and 2026 Security Outlook’ report published by information security company AhnLab. According to the report, North Korean hacking organizations, including Lazarus, were confirmed to have carried out the most hacking activities at the national level over the past year. North Korea was the most active among countries around the world with a total of 86 attacks, followed by China, Russia, India, and Pakistan.
North Korean cyber organizations, including Lazarus, target various fields including politics, diplomacy, finance, and virtual assets. The reason why they focus their attacks on virtual asset exchanges in particular is because the theft of virtual assets, which are relatively profitable and guarantee anonymity, is an attractive means for North Korea, which has difficulty securing foreign currency due to international sanctions. They typically infiltrate using advanced methods such as spear phishing (targeted email attacks), multi-platform malware, and MFA (multifactor authentication) bypass.
In the case of this Upbit hack, the government is currently closely analyzing the possibility of organizational connection, as the transaction wallet signature process was abnormally manipulated and large-scale assets were quickly transferred externally, which is similar to past Lazarus attacks. Lazarus already has a large number of malware covering Mac OS and Linux, and these programs are known to have the ability to change virtual asset wallet addresses or monitor the clipboard.
Meanwhile, in addition to Lazarus, major North Korean hacking organizations such as Kim Suki, Kony, and Andariel are also actively active. They are disguising their identities or using social engineering techniques to steal key information from individuals or companies, and recently, some cases of using fake IDs using artificial intelligence (AI) have been detected. In particular, there are repeated cases of Kim Soo-ki stealing information through spear phishing, using documents disguised as lecture requests and interview proposals.
This trend has several important implications for the future cybersecurity environment. First, as the digital asset market expands, the likelihood of becoming a target of national hacking organizations such as North Korea increases. Second, as technology becomes more complex and sophisticated, it is becoming more difficult to defend using traditional security systems alone. Security experts point out that in the future, it is more urgent to preemptively strengthen security in key industries such as information technology (IT), finance, and national defense.
