Upbit moved the bulk of customer assets into cold storage after a hot wallet breach on 27 November 2025 that drained an estimated $30–38.5 million in Solana-based tokens, the exchange said.
The breach was detected at about 04:42 a.m. KST on 27 November 2025 and affected tokens including SOL, TRUMP, BONK and JUP. Upbit suspended all deposits and withdrawals as it began emergency incident handling. The timing drew scrutiny: the exploit occurred on the sixth anniversary of a prior Upbit breach and amid reporting of a proposed $10 billion merger with Naver Financial, increasing commercial and reputational pressure on the exchange.
Upbit moved 99% of user funds to offline cold storage, a change that exceeds South Korea’s existing requirement to keep 80% of assets offline. The exchange retired the compromised hot wallets, purged old deposit addresses, and completed a broad reissue of deposit endpoints to new addresses. Forensics identified a private-key inference vulnerability that could allow attackers to deduce private keys by analysing multiple wallet addresses; Upbit said that discovery prompted systematic remediation across its wallet architecture.
To protect customers, the platform pledged full reimbursement for affected users and recorded a corporate loss of 5.9 billion won to cover 38.6 billion won in member assets.
Upbit moves most user funds to cold storage
Investigators have flagged patterns consistent with state-linked groups; analysts and authorities have pointed to the Lazarus Group as a prime suspect given similarities in credential compromise, cross-chain asset movements and the use of privacy-mixing services. The incident also renews scrutiny of the Solana ecosystem, which has previously experienced wallet and client-side failures in 2022 and 2023.
Policymakers in Seoul are considering tighter measures, including proposals for “no-fault liability” that would compel exchanges to compensate users for losses regardless of negligence — a regulatory shift that could reshape operational and capital requirements for custodians.
The hack forced Upbit into a near-total cold-storage posture and exposed an architectural weakness with direct balance-sheet and regulatory consequences. The incident highlights the tension between liquidity for users and hardened custody controls that compliance and product teams must reconcile.
