Crypto Journalist
Amin Ayan
Crypto Journalist
Amin Ayan
Part of the Team Since
Apr 2025
About Author
Amin Ayan is a crypto journalist with over four years of experience in the industry. He has contributed to leading publications such as Cryptonews, Investing.com, 99Bitcoins, and 24/7 Wall St. He has…
Last updated:
South Korea’s largest cryptocurrency exchange, Upbit, said it uncovered and repaired a serious flaw in its internal wallet system while investigating the recent $30 million theft from the platform.
Key Takeaways:
- Upbit found and fixed a wallet flaw that could have exposed private keys, but has not confirmed it caused the $30M hack.
- The breach drained about 44.5 billion won, while roughly 2.3 billion won has already been frozen.
- The exchange halted activity, moved funds to cold storage, and pledged full reimbursement.
In a statement released Friday, Upbit CEO Oh Kyung-seok disclosed that engineers identified a weakness in the exchange’s wallet software that could have allowed attackers to infer private keys by studying publicly available blockchain data.
However, the crypto firm has not confirmed whether the vulnerability played a role in the breach.
Upbit Says Internal Wallet Bug May Have Exposed Private Keys
The flaw did not stem from the blockchains themselves but from how Upbit’s wallet software generated cryptographic signatures.
According to the exchange, the issue may have produced weak or predictable signing data, creating the possibility that a sophisticated attacker could mathematically reconstruct wallet keys by analyzing historical transactions.
“We identified and addressed the vulnerability during a comprehensive inspection of all related networks and wallet systems,” Oh said, adding that the company activated emergency response protocols and halted all withdrawals and deposits until systems were verified as secure.
Upbit stopped onchain activity on November 26 after detecting abnormal outflows from its Solana-based hot wallets.
Tokens impacted included SOL, ORCA, RAY and JUP, the exchange said. Assets were quickly transferred to cold storage while forensic reviews began.
Losses totaled an estimated 44.5 billion won ($30 million), including about 38.6 billion won ($26 million) in customer holdings.
Upbit says attackers might have inferred private keys by analyzing user wallet address patterns. If true, I doubt anyone other than North Korean hackers (Lazarus) could do this. pic.twitter.com/cS4I8okrVb
— Ki Young Ju (@ki_young_ju) November 28, 2025
The exchange confirmed that approximately 2.3 billion won ($1.5 million) in funds have already been frozen through coordination with external parties.
Upbit emphasized that it has not established a direct link between the wallet vulnerability and the theft. The issue was discovered only during an internal audit triggered by the incident.
“No security system can ever be considered perfect,” Oh said, pledging infrastructure upgrades and continued transparency as investigations continue.
The company said all affected users would be reimbursed in full using internal reserves. Withdrawals and deposits will remain suspended until final security inspections are completed.
South Korean Probe Points to North Korea’s Lazarus Group in Upbit Hack
South Korean authorities have launched an investigation, and local reports have cited early intelligence assessments that allegedly connect the intrusion to North Korea’s Lazarus Group.
The group has previously been linked to crypto thefts aimed at generating revenue for Pyongyang amid persistent foreign currency shortages.
Officials believe this time the hackers may have bypassed core infrastructure by impersonating administrators or compromising internal accounts to authorize the withdrawal.
Upbit continues to work with law enforcement agencies and blockchain projects to freeze and recover assets where possible, the exchange said.
The incident comes at a sensitive moment for Upbit’s parent company, Dunamu, which is preparing for a merger with South Korean internet giant Naver ahead of a potential public listing.
Follow us on Google News