Upbit, a leading South Korean cryptocurrency exchange, identified unauthorized withdrawals totaling around 54 billion KRW ($36 million) in Solana-based assets on Thursday.
The breach affected several tokens, including SOL, USDC, BONK, JUP, RAY, RENDER, ORCA, and PYTH. Stolen funds were sent to unidentified external wallets. Upbit immediately suspended deposits and withdrawals for the Solana network to limit further losses and safeguard user funds.
SponsoredExchange Responds With Emergency Measures
According to Upbit’s announcement, Upbit promptly halted all deposit and withdrawal services for Solana-based assets. The exchange began emergency inspections to assess the damage and reinforce security. Multiple urgent updates were posted on the Upbit customer center between November 26 and 27, 2025, documenting each step of their rapid response.
The breach affected a broad range of Solana ecosystem tokens. Beyond SOL and USDC, the incident also impacted popular DeFi and meme tokens, including BONK, Jupiter (JUP), Raydium (RAY), Render (RENDER), Orca (ORCA), and Pyth Network (PYTH). The spread suggests attackers targeted Upbit’s hot wallet infrastructure, which handles active trading and withdrawals.
Upbit immediately suspended all deposit and withdrawal services in the morning after detecting abnormal withdrawal activity, and entered an emergency inspection. The company also disclosed all wallet addresses involved in the “irregular outflow”.
Security experts monitoring the breach confirmed that Upbit suspended Solana token services to protect user assets. The exchange took swift measures to prevent further losses while forensic teams investigated. However, the incident raised concerns about vulnerabilities within hot wallet systems that stay connected for operations.
SponsoredParty-Spoiler Ruins Dunamu–Naver Merger Celebration
The incident occurred on the same day that Dunamu, the operator of Upbit, announced a plan to seize global market leadership through AI- and Web3-based collaboration with Naver, South Korea’s largest portal company. Naver and Dunamu, together with Naver Financial, plan to invest 10 trillion won over the next five years to foster the domestic AI and Web3 technology ecosystem.
The 54 billion KRW loss, roughly $36 million, places the Upbit breach among the year’s largest for exchanges. Nevertheless, it remains smaller than several of the industry’s historic hacks. Most losses involved Solana network assets, pointing to a targeted attack rather than a cross-chain incident.
The company stated, “We have identified the exact amount of digital assets that were leaked, and we will fully cover the loss with Upbit’s own assets so that customers are not affected in any way.”
Six Years After the Last Upbit Hack
This is not the first time Upbit has been hacked. In November 2019, hackers stole 342,000 ETH from the South Korean exchange. The breach caused a loss of about 58 billion won, or roughly $50 million at the time. That amount now stands at approximately $1.04 billion.
Five years later, in November last year, Korean police officially confirmed that the perpetrators were alleged North Korean hacking groups Lazarus and Andariel. According to the National Office of Investigation, the conclusion was based on evidence such as the use of North Korean IP addresses and North Korea-specific terminology (including phrases used for trivial tasks), as well as data obtained in cooperation with the US Federal Bureau of Investigation (FBI).
Of the stolen Ethereum, the hackers converted 57% into Bitcoin through three cryptocurrency exchanges they had designed themselves and immediately cashed out the proceeds. Hackers laundered the remaining 43% through 51 exchanges across 13 countries. These countries included China, the United States, Hong Kong, and Switzerland.
In October 2024, Korean authorities sought cooperation from Swiss judicial authorities and recovered 4.8 BTC, which they returned to Upbit. However, the remaining countries and exchanges are reportedly refusing to cooperate.
