South Korean authorities have exposed a sophisticated laundering operation following the theft of approximately $32.2 million (44.5 billion won) from the Upbit cryptocurrency exchange. The hackers moved the stolen funds through Godex, an unlicensed exchange based in the tax haven of Seychelles, exploiting its minimal regulatory oversight, strong privacy protections, and limited international cooperation to conceal their identities and create a nearly untraceable money trail.
In a critical development, Binance froze only a fraction of the stolen assets despite an urgent request from Upbit and Korean police. Authorities requested a freeze on roughly 470 million won (about $370,000) worth of Solana (SOL) that had reached Binance service wallets. However, the global exchange delayed action for approximately 15 hours, citing a need for further fact-checking, and ultimately froze only 80 million won (about $58,000-$75,000), representing less than 20% of the requested amount.
Investigators revealed that the hacking group used an elaborate laundering strategy on November 27, quickly scattering the stolen assets across more than a thousand wallets. The attackers repeatedly broke funds into smaller portions, moved them through multiple chains, and relied on token bridges and swaps to obscure the trail. Most of the laundered assets eventually landed on Binance. Following the initial freeze, investigators noted that most stolen assets were converted from Solana to Ethereum, likely to improve liquidity.
The incident has sparked criticism from Korean experts. Cho Jae-woo, director of Hansung University’s Blockchain Research Institute, argued that "rapid intervention is essential to minimize losses" and criticized exchanges for often citing litigation risks as an excuse for hesitation. He called for the establishment of a global emergency hotline between exchanges or a coordinated body empowered to impose immediate freezes.
In response to the hack, Upbit's operator, Dunamu, announced a drastic security overhaul, moving 99% of customer assets into cold storage and reducing hot wallet exposure to effectively zero. This far exceeds South Korea’s legal requirement of 80%. The exchange had already held 98.33% of assets in cold storage at the end of October. Meanwhile, South Korean authorities have launched an investigation, with local reports citing early intelligence assessments that allegedly connect the intrusion to North Korea’s Lazarus Group.
The case is expected to accelerate regulatory changes in South Korea, potentially leading to stricter licensing requirements for exchanges operating with Korean users and enhanced international cooperation agreements. It highlights the critical need for standardized protocols for immediate asset freezing across multiple exchanges, verified threat intelligence sharing, and improved cross-jurisdictional cooperation with law enforcement.
PYUSD
WLD
XRP