- Upbit fixed a wallet vulnerability after a $30 million Solana-related theft.
- Withdrawals were suspended and some stolen funds were frozen following the attack.
- Authorities are investigating possible involvement by the Lazarus Group.
South Korea’s largest cryptocurrency exchange, Upbit, disclosed a serious internal wallet vulnerability discovered during an emergency audit following a $30 million theft related to Solana assets.
The finding emerged as the company continues probing irregular Solana-based withdrawals that prompted the security review, raising concerns about potential exposure of private keys within the platform’s wallet system.
Bug discovered during emergency audit
The emergency audit, launched after abnormal activity was detected on November 26, revealed a flaw in Upbit’s internal wallet software that could, in theory, allow attackers to reconstruct private keys by analyzing on-chain transaction data.
In a public statement issued after the audit, CEO Oh Kyung-seok explained that while blockchain data is generally public yet secure, the company’s proprietary wallet implementation produced weak and predictable signature data, creating a theoretical risk.
Upbit emphasized that the flaw was identified only after the system-level review and does not appear to be directly tied to the attack itself.
The exchange has since patched the vulnerability and conducted a comprehensive inspection of all related wallet networks and systems to ensure no additional weaknesses remain.
Upbit will cover all losses from its reserves
The attack resulted in total losses of roughly 44.5 billion KRW, including about 38.6 billion KRW of customer assets, prompting immediate steps from the exchange.
Withdrawals were suspended and remaining assets were moved to cold storage to prevent further loss.
Approximately 2.3 billion KRW of the stolen funds—about $1.5 million—have already been frozen.
Oh Kyung-seok described the incident as a reminder that no security system can be considered completely infallible.
He reassured customers that Upbit will cover all losses using its own reserves and pledged to strengthen security measures across the platform.
The exchange said it will resume deposits and withdrawals only after final verification of its wallet systems.
South Korean authorities investigating the hack
South Korean authorities have opened an investigation into the incident, with early intelligence reports indicating possible involvement by the Lazarus hacking group, which is linked to North Korea.
Although neither Upbit nor regulators have publicly confirmed that attribution, the company continues to cooperate with law enforcement and blockchain projects to recover and freeze stolen assets wherever possible.
The incident prompted Upbit to carry out a broader review of its entire infrastructure.
Upbit noted that the irregular withdrawals from wallets tied to Solana—including tokens such as ORCA, RAY, and JUP—served as the immediate catalyst for the emergency audit and the subsequent discovery of vulnerabilities.
By completing a full review of its wallet systems, Upbit aims to prevent similar breaches in the future and enhance overall platform security.