Upbit's Second $30M Hack in Six Years Highlights Crypto Infrastructure Vulnerabilities

Generated by AI AgentCoin WorldReviewed byDavid Feng
Sunday, Nov 30, 2025 11:52 am ET1min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
Aime RobotAime Summary

- South Korea's Upbit suffered a $30.4M theft via unauthorized

Solana
hot wallet withdrawals, with North Korea's Lazarus Group suspected.

- The breach occurred hours before its parent company's $10.3B acquisition by Naver, raising concerns about timing and security vulnerabilities.

- Upbit pledged to cover losses, froze compromised assets, and acknowledged a wallet flaw involving weak cryptographic signatures.

- This marks Upbit's second major hack in six years, highlighting persistent risks from state-sponsored cyberattacks and fragile hot wallet systems.

- Experts warn of broader threats from Lazarus Group, linked to $1.5B Bybit theft in 2025, as regulators investigate Upbit's delayed reporting and security practices.

South Korea's largest cryptocurrency exchange, Upbit, is

under investigation
after a $30.4 million theft attributed to unauthorized withdrawals from its
Solana
network hot wallet, with authorities suspecting involvement by North Korea's Lazarus Group. The breach, detected at 4:42 a.m. local time on November 27, involved the transfer of 54 billion won ($36 million) in digital assets, including tokens like
BONK
, TRUMP, and
USDC
according to blockchain analysis
. Upbit has pledged to cover all customer losses and suspended Solana-related deposits and withdrawals while shifting remaining assets to cold storage
as reported
. The incident occurred just hours before its parent company, Dunamu, finalized a $10.3 billion acquisition by tech giant Naver, raising questions about timing and operational vulnerabilities
according to financial reports
.

This marks Upbit's second major breach in six years. In 2019, the Lazarus Group was linked to a $50 million theft of 342,000 ETH, prompting the exchange to increase cold storage ratios to 70%

as reported
. The 2025 attack shares similarities with the 2019 incident, including suspected admin credential compromise and the use of mixing techniques to launder funds
according to cybersecurity experts
. South Korean authorities cited technical parallels, noting attackers may have impersonated administrators or exploited internal account weaknesses
as observed
. Upbit's CEO, Oh Kyung-seok, acknowledged a critical wallet flaw during its investigation, though the exchange has not confirmed it directly caused the breach. The vulnerability, tied to weak cryptographic signatures in wallet software, could allow attackers to infer private keys by analyzing blockchain data
according to technical analysis
.

The hack has intensified scrutiny of South Korea's crypto infrastructure, particularly following the Naver-Dunamu merger. Regulators are already probing Upbit for delayed reporting and data-handling issues, with unconfirmed reports suggesting potential restrictions on new user sign-ups

according to financial analysis
. Meanwhile, experts highlight the broader threat posed by North Korean cyber operations, which the FBI describes as "one of the most advanced persistent threats"
as stated
. The Lazarus Group has been linked to multiple high-profile heists, including a $1.5 billion theft from Bybit in March 2025
according to cybersecurity reports
.

Upbit's response includes freezing compromised assets and collaborating with blockchain projects to trace outflows. Approximately $1.5 million in funds have already been frozen, though the full scale of the breach remains under evaluation

as reported
. The exchange plans to resume services only after completing a comprehensive security review. As the investigation unfolds, the incident underscores the fragility of hot wallet systems and the persistent risks faced by crypto platforms in a landscape marked by state-sponsored cyberattacks.