USDUpbit Confirms $30.4M Hack, Reimburses $26.4M to Users as $4.03M Corporate Loss Finalized
$1.57M Frozen Through Tracking, Regulators Continue Inspection Through Dec. 5 Amid Lazarus Attribution Review
TL;DR
- Upbit hot-wallet breach tied to Solana assets results in updated loss estimate of $30.4 million.
- Exchange freezes deposits/withdrawals and vows to fully reimburse users using corporate reserves.
- Korea’s FSA conducts on-site inspection through Dec. 5 while asset recovery efforts continue, with $1.57M reported frozen.
Withdrawal systems at South Korea’s largest exchange were forced into emergency suspension after Upbit flagged abnormal outflows at around 04:42 a.m. KST on Nov. 27, 2025, identifying unauthorized movements tied to a Solana hot wallet that rapidly escalated to tens of millions of dollars in losses. Initial figures placed the breach near $37 million, later refined to $30.4 million based on updated internal accounting and asset valuation.
The compromised wallet held a broad range of Solana-ecosystem tokens including SOL, JTO, BONK, RENDER, ORCA, JUP, and USDC, alongside smaller memecoins and various emerging Solana-network assets. Hot-wallet reserves were isolated, remaining funds were migrated into cold custody, and Upbit assured customers that no user assets would be affected financially, stating the exchange would cover the total stolen value directly using corporate reserves to stabilize trust while internal audits proceed.
Operational interruptions came at an uneasy time, landing exactly six years after Upbit’s 2019 hot-wallet theft where 342,000 ETH—valued near $50 million at the time—were drained, prompting many to question whether hot-wallet infrastructure remains an industry-wide weak point.
Timing sharpened scrutiny further given Upbit operator Dunamu’s major corporate alignment with Naver Financial, a merger estimated at over $10 billion in combined coin market cap influence across financial and digital service operations. Analysts observed that an incident during a period of institutional expansion could become a stress test for public confidence, especially with regulators already intensifying oversight of domestic exchanges. Early chain-tracking allowed the freezing of $1.57 million linked to the stolen portfolio, yet most funds remain under investigation via inter-platform coordination, token issuer contact, and live monitoring of traced wallet flows as teams work to stall laundering attempts.
Authorities escalated response quickly, with Korea’s Financial Supervisory Service launching an on-site inspection that will continue through Dec. 5, reviewing security controls, incident management procedures, and withdrawal-authorization logic to determine how the breach bypassed operational safeguards. Upbit had not issued a fixed timeline for re-enabling withdrawals or deposits, saying services will resume only after full internal validation and regulatory clearance.
Conversations across market participants reflected both frustration and pragmatism, noting that hot-wallet architecture—designed to keep liquidity online for traders—inevitably introduces operational exposure that even major exchanges cannot fully mitigate. Traders monitoring the crypto price index saw muted but noticeable volatility in Solana-ecosystem tokens as news spread, while broader crypto price movement stayed relatively stable as the market digested the implications without major systemic spillover.
Industry observers described the event as a reminder that user funds stored on centralized platforms remain subject to attack vectors even when protected by reputationally strong operators. Upbit’s decision to reimburse losses may limit direct user fallout, yet reputation, regulatory pressure, and long-tail forensics could extend for months. Security engineers and institutional participants cited renewed urgency toward minimizing hot-wallet liquidity windows and accelerating cold-storage transition automation, particularly for high-value chains with fast settlement standards like Solana.
Recovery efforts remain active, and asset reclamation success will likely hinge on the speed of wallet traceability cooperation, token issuer intervention, and jurisdictional freeze authority. Market participants continue to watch whether withdrawals reopen smoothly or whether extended oversight pushes Upbit to redesign architecture in a way that shapes future industry security standards and ultimately influences regional crypto price behavior and overall coin market cap resilience.
UPDATE: On Nov. 28, a new statement from Dunamu CEO Oh Kyung-seok clarified the internal financial impact of the Nov. 27 breach, separating user losses from corporate liability and introducing more precise reimbursement figures than initially reported. Upbit absorbed a 5.9 billion-won (~$4M) net corporate hit, after covering 38.6 billion won in user assets directly from reserves and offsetting part of the damage with recovery actions. A total of 44.5 billion won was siphoned during the breach, but 2.3 billion won was successfully frozen, allowing a fraction of the funds to be held back through chain-tracking and wallet interception efforts. The exchange reiterated that all customers impacted by the hack have already been made whole, fully compensated using internal capital rather than insurance proceeds or external financing.
This update also confirmed that investigators are evaluating whether the incident bears hallmarks linked to North Korea’s Lazarus Group — the same entity long suspected in a series of major exchange penetrations, including the 2019 Upbit Ethereum theft and multiple cross-chain exploits tied to mixing infrastructure. South Korean authorities are now weighing attribution as part of the broader review already underway, suggesting that the investigation phase may widen if state-sponsored involvement becomes more likely.
This article has been refined and enhanced by ChatGPT.
