Upbit, South Korea’s largest cryptocurrency exchange, confirmed that a security incident occurred early on November 27, involving abnormal transactions linked to its Solana network hot wallet. According to the exchange, around 445 billion Korean won ($32.6 million) worth of Solana-based digital assets were transferred to unauthorized wallet addresses at 4:42 a.m. local time. The company suspended all deposits and withdrawals immediately after the breach.
Upbit explained that the affected assets were moved from a hot wallet, which handles daily transactions, while its cold wallets, used for offline storage, remained intact. In its official statement, the platform clarified that no user assets stored in cold wallets were compromised.
The exchange provided an updated list of affected tokens, which includes SOL, 2Z, ACS, BONK, DOOD, DRIFT, HUMA, IO, JTO, JUP, LAYER, ME, MEW, MOODENG, ORCA, PENGU, PYTH, RAY, RENDER, SONIC, SOON, TRUMP, USDC, and W.
Company revises estimates and confirms frozen assets
Upbit’s initial estimate of the outflow was ₩54 billion, but it later revised the figure to ₩44.5 billion after reassessing token prices at the time of the incident. The company also updated information about frozen tokens, correcting the amount from ₩12 billion to ₩2.3 billion worth of Layer (LAYER) tokens that have been successfully frozen on-chain.
The exchange’s team initiated a security review immediately after identifying the unauthorized withdrawals.
"Upbit detected that a portion of Solana network assets, worth approximately ₩44.5 billion, were transferred to an unassigned external wallet address,” the company said in its translated notice.
Upbit confirmed that it is continuing to collaborate with related projects, blockchain networks, and law enforcement agencies to trace and freeze remaining digital assets.
CEO Kyung-seok Oh issues apology to users
Dunamu CEO Kyung-seok Oh, who oversees Upbit, addressed users publicly in a statement included in the updated announcement.
“First, we deeply apologize for any inconvenience caused to our members due to the urgent digital asset deposit and withdrawal service inspection and the abnormal withdrawal situation today. Upbit immediately suspended deposit and withdrawal services and conducted a comprehensive inspection, prioritizing the protection of member assets,” he said.
Oh emphasized that the exchange had identified the scope of the asset leakage immediately and committed to covering the full amount using company-held reserves.
“To prevent any damage to member assets, the entire amount will be covered by Upbit’s holdings,” he added.
The CEO reassured users that no customer would experience any direct financial loss as a result of the breach.
Security response and ongoing audit
Upbit stated that it has completed several countermeasures following the breach. All digital assets have been transferred to secure cold wallets to ensure no further unauthorized transfers occur. The platform is conducting a broad security audit of all deposit and withdrawal systems, extending beyond the Solana network.
According to Upbit, once security verification is complete, deposit and withdrawal services will resume gradually. The company also requested users to report any suspicious wallet activity through its 24-hour customer support channels, including phone, KakaoTalk, and its website.
Regulatory context and ongoing investigation
The breach adds pressure to Upbit and its parent company Dunamu, which already face increased regulatory scrutiny after recent compliance penalties tied to anti-money laundering procedures. The company is currently pursuing a strategic partnership with Naver, which had been expected to precede an eventual U.S. stock market listing.
While Upbit indicated that it has not yet disclosed the technical entry point of the attack, industry analysts noted that early evidence suggests a compromise of Upbit’s wallet infrastructure, not a flaw within the Solana protocol itself.
At present, investigative authorities are working with Upbit to trace the illicit transfers and identify the entities behind the attack.
Commitment to user protection
Closing its statement, Upbit reiterated its commitment to transparency and asset security. It confirmed that the company will continue to notify users of verified updates as its audit and investigations move forward.
“Upbit values member assets above all else,” the company’s message concluded. “We will provide safer services based on a reinforced security system.”
The exchange assured that its ongoing cooperation with investigative agencies and blockchain partners would continue until all possible recovery actions are exhausted.
Oleksii Shumak
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
