On November 27, 2025, South Korea’s largest cryptocurrency exchange, Upbit, was forced to suspend deposits and withdrawals after detecting a major security breach involving its Solana-based hot wallets. The incident, which resulted in unauthorized outflows of an estimated $36 million to $38.5 million (approximately 54 billion Korean Won), has triggered a comprehensive security review and raised fresh concerns over exchange security.
The irregular withdrawals were detected at 04:42 local time and affected a wide basket of Solana ecosystem tokens. While the exact list varies by report, the stolen assets included SOL, USDC, BONK, Jito (JTO), Jupiter (JUP), Raydium (RAY), and Render (RENDER), among others. In its immediate response, Upbit moved its remaining digital assets to cold storage to prevent further losses and successfully worked with projects to freeze about 12 billion Won worth of Solayer (LAYER) tokens on-chain. The exchange has assured its users that it will fully cover all losses from the incident using its own corporate reserves, ensuring no customer assets are affected.
A Recurring Security Challenge
This security breach arrives at a critical moment for Upbit’s parent company, Dunamu, which had just announced a landmark $10.3 billion acquisition deal with the South Korean fintech giant Naver Financial. Furthermore, this is not the first time Upbit has faced such a significant security challenge. The incident bears a striking resemblance to a breach exactly six years prior, in November 2019, when the exchange lost 342,000 ETH (worth about $50 million at the time) from its hot wallets in an attack later attributed to North Korean hacking groups.
This pattern highlights the persistent vulnerability of hot wallets, which remain online to facilitate convenient trading and withdrawals, making them a prime target for attackers compared to more secure cold storage. The recurrence of a major hack underscores the ongoing security challenges that even the most prominent and regulated exchanges continue to face.
Navigating the Aftermath
For traders and institutional players, the immediate consequence is a temporary liquidity constraint for Solana-based tokens on the Upbit platform, as deposits and withdrawals remain suspended until a full security audit is completed. While trading continues to function normally on the exchange, the inability to move assets on or off the platform can disrupt short-term portfolio adjustments and hedging strategies.
This event serves as a stark reminder of the inherent custody risk involved in keeping assets on centralized exchanges. The concentration of funds in hot wallets, while necessary for liquidity, can suddenly materialize into a costly event. For treasury managers, it reinforces the importance of calibrating exposure to any single counterparty and considering the security of underlying infrastructure when choosing where to hold assets.
The next critical milestones for the market to watch are the conclusion of Upbit’s forensic investigation and the subsequent resumption of full services. The exchange’s handling of the reimbursement process and its transparency in communicating the root cause will be key to restoring user confidence.
