Upbit Hack (2025)

On November 27, 2025, at about 04:42 KST, Upbit, South Korea’s largest cryptocurrency exchange, detected unauthorized withdrawals of roughly 54 billion KRW (about $36 million) in Solana-based assets from one of its hot wallets, including SOL, USDC, BONK, JUP, RAY, RENDER, ORCA, and PYTH. The exchange suspended all Solana network deposits and withdrawals within minutes, moved remaining hot-wallet assets to cold storage, launched a forensic review, and pledged to fully reimburse affected users from corporate reserves. Halborn’s analysis pointed to weaknesses in Upbit’s digital-signature implementation that could have let an attacker derive private keys from on-chain transaction history, and investigators hinted at North Korea’s Lazarus Group, which was blamed for the exchange’s 2019 theft of 342,000 ETH. The breach landed with symbolic timing, on the exact six-year anniversary of that earlier heist and as parent company Dunamu was caught up in a major acquisition. The incident revived debate over hot-wallet exposure on fast-settling networks like Solana, where compromised credentials leave little time to block outflows, and reinforced the case for multi-signature withdrawals, key rotation, and isolated wallet infrastructure.