Photo credit: Pixabay/Pexels

South Korean authorities have officially confirmed that North Korea orchestrated the massive theft of 342,000 Ethereum from the cryptocurrency exchange Upbit in November 2019, according to Yonhap News, a local media organization. This revelation marks the first time a domestic investigative agency has directly attributed a cyberattack on virtual assets to North Korea.

The National Investigation Headquarters of the National Police Agency announced on November 21 that the stolen Ethereum, valued at 58 billion won at the time (approximately $44 million USD), would now be worth an estimated 1.47 trillion won ($1.1 billion USD) in today’s market.

The police identified two North Korean-affiliated hacker groups—Lazarus and Andariel—both under the Reconnaissance General Bureau, as the perpetrators behind the attack. Their conclusion was supported by evidence such as North Korean IP addresses, tracking of virtual asset flows, unique vocabulary usage, and intelligence provided by the US Federal Bureau of Investigation (FBI).

While police declined to reveal the specific methods used in the attack to prevent potential copycats, they disclosed that a North Korean term, Heulhan Il—translating to “not important”—was found in the attacker’s computer system.

After the theft, 57% of the stolen Ethereum was converted into Bitcoin at three North Korea-controlled virtual asset exchanges at a 2.5% discount compared to market rates. The remaining Ethereum was distributed across 51 international exchanges and laundered.

By October 2020, some of the stolen Bitcoin was tracked to a Swiss cryptocurrency exchange. After four years of legal and investigative cooperation with Swiss prosecutors, South Korean authorities successfully recovered 4.8 Bitcoin—worth around 600 million won ($445,000 USD)—which has since been returned to Upbit.

North Korea has frequently been accused of engaging in cryptocurrency theft to fund its weapons programs amid international sanctions. While UN reports and statements from foreign governments have highlighted Pyongyang’s illicit activities in cyberspace, this is the first confirmation of North Korea’s direct involvement from South Korean authorities.