South Korea’s largest cryptocurrency exchange, Upbit, is in the spotlight after confirming a major security breach on November 27, 2025, where hackers stole an estimated $30 to $38 million in digital assets from a Solana-based hot wallet.
The attack, which saw assets like SOL, BONK, and USDC swiftly drained, triggered an immediate emergency response from the exchange. Upbit promptly halted all deposit and withdrawal services and moved its remaining assets into cold storage to prevent further losses. In a crucial move to maintain user trust, Dunamu CEO Oh Kyung-seok publicly guaranteed that the exchange would fully cover all losses with its own funds, ensuring no financial impact on its customers.
Suspected Lazarus Group Involvement
Authorities are investigating the breach, with early suspicions pointing to the Lazarus Group, a state-linked hacking collective from North Korea. This would not be the first time Upbit has been targeted by this group; a similar attack in 2019 was also attributed to them. The methods used in the latest breach, including techniques to obscure the trail of the stolen funds, are consistent with known tactics of North Korean hackers. This incident contributes to the staggering $2 billion in cryptocurrency that groups linked to North Korea have stolen in 2025 alone, underscoring a persistent and sophisticated threat to the crypto ecosystem.
A Recurring Weakness and Broader Implications
The breach highlights the persistent security challenge exchanges face with hot wallets, which are connected to the internet for liquidity but are inherently more vulnerable than offline cold storage. The fast transaction speed of the Solana network is also noted as a factor that can allow attackers to drain funds rapidly once a wallet is compromised. The timing of the attack was particularly awkward, coming just one day after the announcement of a massive $10.3 billion stock-swap deal for Naver Financial to acquire Upbit’s parent company, Dunamu. Despite the breach, the market reaction has been relatively muted, likely cushioned by Upbit’s swift commitment to reimburse all affected users.
This event serves as a stark reminder of the operational risks in the crypto industry, even for large, regulated exchanges. It reinforces the critical trade-off between the convenience of hot wallets and the superior security of cold storage. For traders and the broader market, the incident emphasizes the importance of vigilance and robust security practices, including using strong authentication and considering self-custody for long-term asset holdings.
