Upbit, South Korea’s largest cryptocurrency exchange, says an emergency audit following a $30 million theft this week exposed a serious flaw in its internal wallet system. The company has fixed the issue, though it remains unclear whether the vulnerability played a role in the attack.
In a statement released Friday, CEO Oh Kyung seok explained that the team discovered a weakness in its wallet software that could have allowed someone monitoring Upbit’s onchain activity to work out private keys. That type of information is never revealed through normal blockchain data, which suggests the flaw stemmed from how the exchange generated wallet signatures. According to Upbit, the bug created patterns that were predictable enough for an attacker to potentially reconstruct the private keys controlling certain wallets.
두나무
The exchange stopped short of directly linking the flaw to the breach, saying it surfaced only after Upbit launched a full investigation into a wave of irregular withdrawals from its Solana related wallets on November 27. Oh said the company activated its emergency response plan, paused all deposits and withdrawals, and began a complete review of its networks and wallet infrastructure. The problematic component was patched during this process.
Upbit confirmed losses of about 44.5 billion KRW, equal to roughly $30 million. The company said about 38.6 billion KRW of that amount belonged to customers, and around 2.3 billion KRW in stolen assets has already been frozen with help from partners. Upbit has pledged to cover all customer losses using its own reserves.
The platform is now carrying out a broader security overhaul, noting that even mature systems must assume the possibility of failure. Deposits and withdrawals will resume once final checks are complete, and Upbit said it will continue to release updates as the investigation progresses.
The breach was first detected on November 26, when the exchange halted withdrawals after spotting abnormal outflows involving Solana ecosystem tokens including SOL, ORCA, RAY, and JUP. Upbit quickly moved remaining funds to cold storage and began rebuilding parts of its wallet system.
South Korean authorities have opened a formal investigation. Local media have reported early intelligence pointing to North Korea’s Lazarus Group, though neither Upbit nor regulators have confirmed any attribution. The exchange says it is working with law enforcement and blockchain teams to trace, freeze, and recover funds where possible.
As Upbit’s parent company Dunamu prepares for a merger with tech giant Naver ahead of a possible public listing, the incident has added new pressure to strengthen security across the rapidly growing platform.
