Coincatch App
Trade smarter
Hot Topics
Upbit Hack: 44.5 Billion Won Stolen in Solana Security Breach

Upbit Hack: 44.5 Billion Won Stolen in Solana Security Breach

Beginner
2025-11-28 | 10m
South Korea’s largest cryptocurrency exchange, Upbit, suffered a hack that resulted in the theft of digital assets worth 44.5 billion won. The breach occurred on November 27, exactly six years after roughly 58 billion won in digital assets were stolen in a 2019 hacking attack linked to North Korea’s Reconnaissance General Bureau. The incident came one day after Dunamu, Upbit’s operator, formally announced its merger with Naver Financial, a subsidiary of Naver.
This security breach highlights the ongoing challenges that cryptocurrency exchanges face in protecting user funds despite advanced security measures and comes at a pivotal moment in Upbit's corporate development, raising questions about security preparedness during periods of significant organizational transition.
Upbit Hack: 44.5 Billion Won Stolen in Solana Security Breach image 0

Details of the Hack

The security breach at Upbit was detected on November 27, 2025, at approximately 4:42 AM local time (KST), when abnormal withdrawal patterns were identified on the Solana network. The exchange immediately suspended deposit and withdrawal services across its platform and initiated a comprehensive security review of all supported crypto assets.
According to initial reports from Dunamu, Upbit's operator, the hack resulted in the loss of approximately 54 billion Korean won (roughly $36-37 million) in Solana-affiliated assets. The company later revised the estimated damage to 44.5 billion won ($30.1 million) based on the affected assets' prices at the time of the incident. The stolen assets were transferred to an unauthorized external wallet address, with the breach limited to Upbit's hot wallet while cold wallet reserves remained secure.
The affected tokens included a wide range of Solana ecosystem assets, including SOL, USDC, and various SPL standard tokens such as JUP (Jupiter), RAY (Raydium), PYTH (Pyth Network), JTO (Jito), BONK, and others. Security analysts from SlowMist noted that the attacker essentially "emptied" Upbit's Solana hot wallet, suggesting the hacker likely gained control of the wallet's private keys or signing server authorization.

Upbit's Response and Damage Control

In response to the security incident, Upbit implemented immediate protective measures to prevent further losses. The exchange moved all remaining assets to secure cold wallets, initiated on-chain freezing procedures, and began collaborating with relevant projects and law enforcement agencies to track and recover the stolen funds.
The company successfully froze approximately 2.3 billion won ($8.18 million) worth of Solayer (LAYER) token assets through chain intervention. Upbit CEO Oh Kyoung-suk issued a formal apology to users for the inconvenience and concerns caused by emergency security checks and abnormal withdrawal situation.
Crucially, Upbit committed to covering all financial losses resulting from the breach using company-owned assets, ensuring that no user funds would be affected. The exchange emphasized that customers would not need to take any action to recover their funds, though they cautioned that the reimbursement process might require patience as the security audit and investigation continued.
Financial authorities in South Korea responded promptly to the incident, launching on-site inspections to assess the situation firsthand. Upbit assured users that trading services remained operational despite the temporary suspension of deposits and withdrawals, allowing users to continue buying and selling assets within the exchange platform.

Historical Context: Upbit's Security History

The 2025 security breach marks the second major hacking incident in Upbit's history, coming exactly six years after the exchange's previous significant breach in November 2019. The 2019 attack resulted in the theft of 342,000 Ethereum tokens valued at approximately 58 billion won at the time, an amount that would be worth over $1 billion at 2025 prices.
The 2019 investigation eventually identified North Korean hacker groups Lazarus Group and Andariel as the perpetrators, with Korean authorities and the FBI collaborating on tracking the stolen assets. After four years of judicial processes, only 4.8 Bitcoin (approximately 6 billion won) was successfully recovered from a Swiss exchange and returned to Upbit in October 2024, which is a negligible amount compared to the total stolen.
This latest incident continues a troubling pattern of Korean cryptocurrency exchanges being targeted by sophisticated hackers. Since 2017, Korean exchanges have suffered cumulative losses of approximately $200 million (based on historical prices at the time of each incident), though the current value of these stolen assets would exceed $1.2 billion.
The history of exchange hacks in Korea includes:
  • 2017: Bithumb lost $32 million through phishing attacks; Youbit suffered two attacks that eventually led to its bankruptcy.
  • 2018: Coinrail ($40 million) and Bithumb again ($31 million) were breached in June alone.
  • 2023: GDAC exchange lost $13 million, representing 23% of its total hosted assets.

The Naver Acquisition: Corporate Context

The security breach occurred at a particularly significant moment in Upbit's corporate history—just one day after Naver Financial, the fintech subsidiary of Korean internet giant Naver, announced a massive $10.3 billion all-stock acquisition of Dunamu, Upbit's parent company.
The acquisition deal, unveiled on November 26, would see Naver Financial issue 87.56 million new shares to Dunamu shareholders at an agreed exchange ratio of 1:2.54-3.3 Naver Financial shares per Dunamu share. Upon completion, Dunamu would become a wholly-owned subsidiary of Naver Financial, creating a fintech company valued at approximately 20 trillion won.
The timing of the hack forced Dunamu executives to navigate between a morning press conference promoting the transformative potential of the Naver merger and the afternoon announcement addressing the security breach. Market reaction to dual developments was negative, with Naver's shares falling 4.6% to 251,500 won following the news.
The acquisition represents a significant strategic bet on the cryptocurrency and fintech industry for Naver, a company better known for its search engine, online shopping, and messaging platforms. Executives from both companies had outlined plans to invest 10 trillion won ($6.8 billion) over the next five years to develop AI and blockchain technology infrastructure and create a Korean won-pegged stablecoin.

Korean Exchange Security: Broader Implications

The Upbit hack highlights the persistent security vulnerabilities that cryptocurrency exchanges face, particularly in South Korea, where the market exhibits unique characteristics that make it an attractive target for hackers. The "kimchi premium"—the phenomenon where cryptocurrency prices in Korea often trade higher than in global markets—creates particularly lucrative opportunities for attackers.
South Korea represents one of the world's most active retail cryptocurrency markets, with approximately 18 million people (roughly one-third of the population) participating in digital asset trading in various forms. Upbit dominates this market with an estimated 71-80% share of domestic cryptocurrency trading volume, effectively creating a near-monopoly position in the Korean market.
The concentration of liquidity and market dominance makes major Korean exchanges like Upbit particularly attractive targets for sophisticated hacking groups. According to security analysts, North Korean hacking units like Lazarus Group have increasingly targeted cryptocurrency exchanges since 2017 as a means to bypass international sanctions and fund military programs.
U.S. officials have publicly stated that North Korea's missile program derives approximately 50% of its funding from cyberattacks and cryptocurrency theft, a significant increase from the "approximately one-third" estimate provided in 2022. This suggests that attacks on cryptocurrency exchanges have evolved beyond criminal enterprises to become instruments of geopolitical significance.

Industry Response and Security Recommendations

The recurrence of major exchange hacks despite enhanced security measures implemented after the 2019 incident raises important questions about the adequacy of current security practices in the cryptocurrency industry. Following the 2019 Upbit hack, Korea implemented stricter regulations under the Specific Financial Information Act, requiring all exchanges to obtain ISMS (Information Security Management System) certification and establish real-name verification banking partnerships.
These regulatory changes led to industry consolidation, with numerous smaller exchanges unable to meet the requirements and Upbit emerging with an even larger market share. Despite these regulatory improvements and Upbit's reputation for having the highest security certification from the Korea Internet Security Agency (KISA), the 2025 breach demonstrates that determined attackers continue to find vulnerabilities.
Security experts recommend several measures for exchanges seeking to enhance their security posture:
  • Implementing robust multi-signature wallet systems that require multiple authorized signatures for transactions
  • Maintaining sufficient reserves in cold storage to minimize hot wallet exposure
  • Conducting regular third-party security audits and penetration testing
  • Establishing comprehensive insurance coverage for digital assets
  • Developing advanced transaction monitoring systems with abnormal pattern detection
The fact that Upbit's customer funds remain protected despite the breach highlights the importance of adequate reserve funds and responsible business practices in the cryptocurrency industry. The exchange's commitment to covering all losses from company assets stands in contrast to earlier Korean exchange failures like Youbit, which resulted in significant customer losses.

Conclusion

The November 2025 Upbit security breach serves as a stark reminder of the persistent security challenges facing the cryptocurrency industry, even as it matures and gains mainstream acceptance. While Upbit's prompt response and commitment to covering user losses prevented immediate financial harm to customers, the incident underscores the sophistication of modern hacking groups and the ongoing vulnerabilities in exchange security systems.
The timing of the attack, coinciding with one of the largest corporate acquisitions in Korean fintech history, highlights the complex interplay between cybersecurity, business development, and geopolitical factors in the cryptocurrency ecosystem. As Korean exchanges continue to be targeted by state-sponsored hacking groups, the industry must evolve beyond reactive security measures toward proactive, intelligence-driven defense strategies.
For the broader cryptocurrency market, the Upbit incident reinforces the importance of robust security practices, adequate reserves, and transparent communication during crises. While the financial impact of this breach was contained thanks to Upbit's responsible approach, the recurrence of major exchange hacks six years after previous incidents suggests that the industry still has significant progress to make in securing user funds against determined adversaries. The ongoing regulatory inspection until December 5 will likely yield additional insights and potentially new security requirements for Korean cryptocurrency exchanges.

References:

Cointelegraph. (2025, November 27). Upbit freezes deposits and withdrawals after a $36M hot wallet breach. Retrieved from https://cn.cointelegraph.com/news/upbit-freezes-deposits-and-withdrawals-after-36m-hot-wallet-breach
ForkLog. (2025, November 27). Hackers steal $37 million from South Korean exchange Upbit. Retrieved from https://forklog.com/en/hackers-steal-37-million-from-south-korean-exchange-upbit/
KBS World. (2025, November 27). Upbit reports losses of 54 billion won in hacking attack. Retrieved from http://rki.kbs.co.kr/service/news_view.htm?lang=e&Seq_Code=197730
CoinCatch Team
Follow us on X(Twitter)
Join us on Telegram
Follow us on Instagram
Disclaimer:
Digital asset prices carry high market risk and price volatility. You should carefully consider your investment experience, financial situation, investment objectives, and risk tolerance. CoinCatch is not responsible for any losses that may occur. This article should not be considered financial advice.
CoinCatch Weekly Market Review & Outlook (November 21–November 27)Bitcoin Miners Under Pressure
Share
link_icon
Copyright © 2024 LINKBASE TECHNOLOGY LIMITED All rights reserved.