Upbit Suffers $30 Million Security Breach on November 27

TLDR

• Upbit lost between $30 to $38 million in the breach.
• The hack was linked to North Korean group Lazarus.
• Upbit plans to reimburse affected users fully.

On November 27, 2025, Upbit, a major South Korean cryptocurrency exchange, experienced a significant security breach resulting in losses estimated between $30 to $38 million. The hack targeted Solana network assets within the exchange’s hot wallet.

The incident was linked to a flaw in the wallet system, and is suspected to have been carried out by the North Korean hacking group Lazarus, known for similar cyberattacks in the past. Notably, Upbit had previously been targeted in a $50 million heist attributed to Lazarus in 2019.

Company Response and Immediate Actions Taken

Following the breach, Upbit promptly suspended deposits and withdrawals, and moved assets into cold storage. Oh Kyung-seok, CEO of Dunamu, Upbit’s parent company, publicly addressed the incident. He assured that affected users would receive full reimbursement from the company’s reserves.

“We plan to fully cover any damages using Upbit’s own assets to ensure no harm comes to customer funds.”

Oh Kyung-seok, CEO of Dunamu

Investigative Findings

Upbit’s investigation identified a hidden wallet flaw involving weak signature data, which may have enabled the exploit. The company took measures to freeze approximately $1.6 million worth of LAYER tokens. Additionally, $8.18 million of the assets were recovered, demonstrating the ongoing asset tracing and freezing efforts.

Authorities in South Korea have launched on-site inspections of Upbit to further probe the hack. Upbit is collaborating with regulatory bodies as part of these investigations.

Affected Cryptocurrencies and Market Reactions

The primary cryptocurrencies affected by the exploit included various Solana-based tokens such as SOL, USDC (on Solana), BONK, RENDER, ORCA, JUP, PYTH, IO, and notably LAYER tokens. Assets stored in cold wallets, including BTC and ETH, remained secure and unaffected.

The breach temporarily halted deposits and withdrawals, but internal trading activity on the platform continued. The breach has led to heightened scrutiny on Upbit’s security protocols, especially concerning hot wallet vulnerabilities.

Upbit's Ongoing Efforts and Regulatory Involvement

Upbit is conducting a detailed review to improve security infrastructure and protect against future threats. This initiative has prompted cross-platform discussions among the crypto community and regulators focusing on strengthening infrastructure safeguards and compliance measures.

In the wake of the incident, Dunamu had recently announced a major $10 billion merger with Naver Financial. The merger is part of a broader plan for Nasdaq listing and aims to invest heavily in AI and Web3 infrastructures over the next five years.

Historical Context and Security Challenges

Lazarus Group's involvement underscores persistent security challenges in the cryptocurrency sector. Their history with Upbit, including a similar theft in 2019, highlights the ongoing threat these state-sponsored groups pose. Engaged users and industry leaders continue to advocate for enhanced security measures.

The breach has again spotlighted vulnerabilities associated with hot wallets, pushing for a reevaluation of current security and operational protocols across the industry. This latest incident adds further complexity to Upbit’s planned merger and expansion efforts.