Upbit's Second $30M Hack in Six Years Highlights Crypto Infrastructure Vulnerabilities

South Korea's largest cryptocurrency exchange, Upbit, is under investigation after a $30.4 million theft attributed to unauthorized withdrawals from its SolanaSOL-- network hot wallet, with authorities suspecting involvement by North Korea's Lazarus Group. The breach, detected at 4:42 a.m. local time on November 27, involved the transfer of 54 billion won ($36 million) in digital assets, including tokens like BONKBONK--, TRUMP, and USDCUSDC-- according to blockchain analysis. Upbit has pledged to cover all customer losses and suspended Solana-related deposits and withdrawals while shifting remaining assets to cold storage as reported. The incident occurred just hours before its parent company, Dunamu, finalized a $10.3 billion acquisition by tech giant Naver, raising questions about timing and operational vulnerabilities according to financial reports.

This marks Upbit's second major breach in six years. In 2019, the Lazarus Group was linked to a $50 million theft of 342,000 ETH, prompting the exchange to increase cold storage ratios to 70% as reported. The 2025 attack shares similarities with the 2019 incident, including suspected admin credential compromise and the use of mixing techniques to launder funds according to cybersecurity experts. South Korean authorities cited technical parallels, noting attackers may have impersonated administrators or exploited internal account weaknesses as observed. Upbit's CEO, Oh Kyung-seok, acknowledged a critical wallet flaw during its investigation, though the exchange has not confirmed it directly caused the breach. The vulnerability, tied to weak cryptographic signatures in wallet software, could allow attackers to infer private keys by analyzing blockchain data according to technical analysis.

The hack has intensified scrutiny of South Korea's crypto infrastructure, particularly following the Naver-Dunamu merger. Regulators are already probing Upbit for delayed reporting and data-handling issues, with unconfirmed reports suggesting potential restrictions on new user sign-ups according to financial analysis. Meanwhile, experts highlight the broader threat posed by North Korean cyber operations, which the FBI describes as "one of the most advanced persistent threats" as stated. The Lazarus Group has been linked to multiple high-profile heists, including a $1.5 billion theft from Bybit in March 2025 according to cybersecurity reports.

Upbit's response includes freezing compromised assets and collaborating with blockchain projects to trace outflows. Approximately $1.5 million in funds have already been frozen, though the full scale of the breach remains under evaluation as reported. The exchange plans to resume services only after completing a comprehensive security review. As the investigation unfolds, the incident underscores the fragility of hot wallet systems and the persistent risks faced by crypto platforms in a landscape marked by state-sponsored cyberattacks.