- Upbit patched a wallet flaw after a $30M Solana-related hack.
- Withdrawals were halted, and stolen funds were partly frozen following the attack.
- Authorities probe possible Lazarus Group involvement.
South Korea’s largest cryptocurrency exchange, Upbit, disclosed a critical internal wallet vulnerability after launching an emergency audit in response to a roughly $30 million hack. The company discovered the issue while investigating unusual Solana-based withdrawals that prompted broad security checks, raising concerns that private keys within the exchange’s wallet system could be at risk.
Flaw discovered after emergency audit
The emergency review, initiated after abnormal activity was detected on Nov. 26, identified a flaw in Upbit’s internal wallet software. The vulnerability could theoretically allow attackers to derive private keys by analysing signature data and blockchain transactions, due to the wallet implementation producing predictable or weak signature outputs.
CEO Oh Kyung-seok said in an official announcement that while blockchain transaction data is public by design, it is normally secure. In this case, however, characteristics of Upbit’s wallet signatures introduced a theoretical risk. The company stressed that the flaw was uncovered only as part of the systemwide audit and did not appear to be the direct cause of the initial hack.
Upbit has patched the vulnerability and completed an extensive inspection of related networks and wallet systems to ensure no further weaknesses remain. The company says it will continue monitoring and hardening its cryptographic implementations to prevent similar issues.
Upbit to cover all losses using its own reserves
The security incident resulted in losses of about 44.5 billion KRW, including roughly 38.6 billion KRW in customer assets. In response, Upbit suspended withdrawals and transferred remaining funds to cold storage to limit exposure. Law enforcement and financial partners have managed to freeze around 2.3 billion KRW of the stolen assets, approximately $1.5 million, so far.
CEO Oh Kyung-seok described the breach as a reminder that no system is completely immune to security failures. He assured customers that Upbit will cover all losses from its own reserves and pledged to strengthen security across the platform. The exchange has committed to reopening deposits and withdrawals only after final verification and validation of its wallet systems.
South Korean authorities are investigating the hack
South Korean authorities have opened an investigation into the incident. Early intelligence and reporting have suggested possible links to the North Korea–linked Lazarus Group, though neither Upbit nor regulators have publicly confirmed attribution. Upbit continues to cooperate with law enforcement and blockchain projects in efforts to track, freeze, and recover stolen assets where possible.
The incident prompted a comprehensive security review of Upbit’s infrastructure. The unusual withdrawals originated from Solana-related wallets and involved tokens such as ORCA, RAY, and JUP, which triggered the emergency audit and ultimately led to the discovery of the wallet vulnerability. By undertaking a full overhaul of its wallet systems and related security controls, Upbit aims to reduce the risk of similar breaches in the future and to restore customer confidence.