Key Highlights
- The Upbit hacker moved $16,000 in RAY tokens after about one month of being inactive.
- The attacker stole over $30 million from the exchange and still holds about $1 million in unsellable tokens.
- The hacker previously moved around 1,500 ETH through Tornado Cash to hide the funds.
The hacker behind the Upbit crypto theft has recently moved $16,000 worth of RAY tokens to a new wallet, marking the first activity in about a month.
In an X post on Wednesday, blockchain intelligence firm Arkham stated that the hacker still “holds around $1 million in tokens that are too illiquid to sell.”
The hacker originally stole over $30 million in cryptocurrencies from Upbit, South Korea’s largest exchange.
Recent moves since the hack
The previous transaction occurred in January, when the hacker moved around 1,500 Ethereum (ETH) through Tornado Cash, a service that hides where crypto comes from and where it goes.
Blockchain trackers Specter and MistTrack monitored these transactions and linked them to the hacker’s wallet 0x93A0. MistTrack reported about 1,400 ETH went into Tornado Cash, while Specter estimated closer to 1,500 ETH. The wallet is marked “severe” for risk, showing it is linked to theft and illegal activity.
$30 million hack from Upbit hot wallet
The breach happened in November 2025 and targeted hot wallets used to store Solana-based tokens, including SOL and USDC. According to previous news, South Korean authorities immediately suspected North Korea’s Lazarus Group, linked to the Reconnaissance General Bureau, might be behind the hack.
“Rather than attacking the server, it is possible that the administrator account was hijacked or that the funds were transferred by pretending to be the administrator,” a government source said.
Investigators said the attack used malware disguised as a fake trading platform installer, along with AnyDesk backdoors and the Tor network to stay hidden. The malware collected sensitive information like passwords and wallet details. After stealing the funds, the attackers likely moved them through other exchange wallets to cover their tracks. This pattern is similar to the method that the group uses in its operation.
Upbit immediately stopped deposits and withdrawals after the breach and moved remaining assets into cold wallets. The exchange also launched a full investigation into the incident. However, the funds had long since gone, as the hackers had already moved most of the money. Once stolen funds enter mixers like Tornado Cash, tracking or recovery becomes very difficult.
The recent $16,000 movement in RAY tokens shows that the hacker is still active.
Also Read: South Korea Sets 20% Ownership Cap for Upbit and Bithumb With a 3-Year Clock