{"id":880728,"date":"2025-12-26T01:12:26","date_gmt":"2025-12-26T07:12:26","guid":{"rendered":"https:\/\/newsycanuse.com\/index.php\/2025\/12\/26\/upbit-finds-critical-wallet-flaw-amid-probe-into-30m-hack\/"},"modified":"2025-12-26T01:12:26","modified_gmt":"2025-12-26T07:12:26","slug":"upbit-finds-critical-wallet-flaw-amid-probe-into-30m-hack","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2025\/12\/26\/upbit-finds-critical-wallet-flaw-amid-probe-into-30m-hack\/","title":{"rendered":"Upbit Finds Critical Wallet Flaw Amid Probe Into $30M Hack"},"content":{"rendered":"<div>\n<div>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cimg.co\/wp-content\/uploads\/2025\/04\/23090551\/ayan-150x150.jpg\" alt>\n                    <\/p>\n<p>Crypto Journalist<\/p>\n<div>\n<p>Amin Ayan<\/p>\n<div>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cimg.co\/wp-content\/uploads\/2025\/04\/23090551\/ayan-150x150.jpg\" alt>\n                <\/p>\n<div>\n<div>\n<p>Crypto Journalist<\/p>\n<p><span>Amin Ayan<\/span><span class><img decoding=\"async\" src=\"https:\/\/cryptonews.com\/wp-content\/themes\/cryptonews\/images\/verification.svg\" alt=\"Verified\"><\/span>\n                    <\/p>\n<\/p><\/div>\n<div>\n<p>Part of the Team Since<\/p>\n<p>Apr 2025<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div>\n<p>About Author<\/p>\n<p>Amin Ayan is a crypto journalist with over four years of experience in the industry. He has contributed to leading publications such as Cryptonews, Investing.com, 99Bitcoins, and 24\/7 Wall St. He has&#8230;<\/p>\n<\/p><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<div>\n<p>Last updated:\u00a0<\/p>\n<p><time datetime=\"2025-11-29T10:30:25+00:00\">November 29, 2025<\/time>\n        <\/p>\n<\/p><\/div>\n<\/div>\n<p><img loading=\"lazy\" width=\"1200\" height=\"673\" src=\"https:\/\/cimg.co\/wp-content\/uploads\/2025\/11\/29062251\/1764397370-image-1764397028771_optimized.jpg\" alt=\"Upbit Finds Critical Wallet Flaw Amid Probe Into $30M Hack\" decoding=\"async\"  ><\/p>\n<p>South Korea\u2019s largest cryptocurrency exchange, Upbit, said it uncovered and repaired a serious flaw in its internal wallet system while investigating the recent $30 million theft from the platform.<\/p>\n<div>\n<p><strong>Key Takeaways:<\/strong><\/p>\n<ul>\n<li><span>Upbit found and fixed a wallet flaw that could have exposed private keys, but has not confirmed it caused the $30M hack.<\/span><\/li>\n<li><span>The breach drained about 44.5 billion won, while roughly 2.3 billion won has already been frozen.<\/span><\/li>\n<li><span>The exchange halted activity, moved funds to cold storage, and pledged full reimbursement.<\/span><\/li>\n<\/ul>\n<\/div>\n<p>In a statement released Friday, Upbit CEO Oh Kyung-seok disclosed that engineers identified a weakness in the exchange\u2019s wallet software that could have allowed attackers to infer private keys by studying publicly available blockchain data.<\/p>\n<p>However, the crypto firm has not confirmed whether the vulnerability played a role in the breach.<\/p>\n<h2><span id=\"h-upbit-says-internal-wallet-bug-may-have-exposed-private-keys\">Upbit Says Internal Wallet Bug May Have Exposed Private Keys<\/span><\/h2>\n<p>The flaw did not stem from the blockchains themselves but from how Upbit\u2019s wallet software generated cryptographic signatures.<\/p>\n<p>According to the exchange, the issue may have produced weak or predictable signing data, creating the possibility that a sophisticated attacker could mathematically reconstruct wallet keys by analyzing historical transactions.<\/p>\n<p>\u201cWe identified and addressed the vulnerability during a comprehensive inspection of all related networks and wallet systems,\u201d Oh said, adding that the company activated emergency response protocols and halted all withdrawals and deposits until systems were verified as secure.<\/p>\n<p>Upbit stopped onchain activity on November 26 after <a href=\"https:\/\/cryptonews.com\/news\/upbit-solana-network-exploit-36m-vows-to-repay-customers\/\">detecting abnormal outflows<\/a> from its Solana-based hot wallets.<\/p>\n<p>Tokens impacted included SOL, ORCA, RAY and JUP, the exchange said. Assets were quickly transferred to cold storage while forensic reviews began.<\/p>\n<p>Losses totaled an estimated 44.5 billion won ($30 million), including about 38.6 billion won ($26 million) in customer holdings.<\/p>\n<figure>\n<div>\n<blockquote data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Upbit says attackers might have inferred private keys by analyzing user wallet address patterns. If true, I doubt anyone other than North Korean hackers (Lazarus) could do this. <a href=\"https:\/\/t.co\/cS4I8okrVb\" target=\"_blank\">pic.twitter.com\/cS4I8okrVb<\/a><\/p>\n<p>\u2014 Ki Young Ju (@ki_young_ju) <a href=\"https:\/\/twitter.com\/ki_young_ju\/status\/1994334219204530623?ref_src=twsrc%5Etfw\" target=\"_blank\">November 28, 2025<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>The exchange confirmed that approximately 2.3 billion won ($1.5 million) in funds have already been frozen through coordination with external parties.<\/p>\n<p>Upbit emphasized that it has not established a direct link between the wallet vulnerability and the theft. The issue was discovered only during an internal audit triggered by the incident.<\/p>\n<p>\u201cNo security system can ever be considered perfect,\u201d Oh said, pledging infrastructure upgrades and continued transparency as investigations continue.<\/p>\n<p>The company said all affected users would be reimbursed in full using internal reserves. Withdrawals and deposits will remain suspended until final security inspections are completed.<\/p>\n<h2><span id=\"h-south-korean-probe-points-to-north-korea-s-lazarus-group-in-upbit-hack\">South Korean Probe Points to North Korea\u2019s Lazarus Group in Upbit Hack<\/span><\/h2>\n<p>South Korean authorities have launched an investigation, and local reports have cited early intelligence assessments that allegedly <a href=\"https:\/\/cryptonews.com\/news\/north-koreas-lazarus-group-linked-to-30m-upbit-hack\/\">connect the intrusion to North Korea\u2019s<\/a> Lazarus Group.<\/p>\n<p>The group has previously been linked to crypto thefts aimed at generating revenue for Pyongyang amid persistent foreign currency shortages.<\/p>\n<p>Officials believe this time the hackers may have bypassed core infrastructure by impersonating administrators or compromising internal accounts to authorize the withdrawal.<\/p>\n<p>Upbit continues to work with law enforcement agencies and blockchain projects to freeze and recover assets where possible, the exchange said.<\/p>\n<p>The incident comes at a sensitive moment for Upbit\u2019s parent company, Dunamu, which is <a href=\"https:\/\/cryptonews.com\/news\/upbit-nasdaq-ipo-merger-naver\/\">preparing for a merger<\/a> with South Korean internet giant Naver ahead of a potential public listing.<\/p>\n<p>\n                                    <a href=\"https:\/\/news.google.com\/publications\/CAAqKQgKIiNDQklTRkFnTWFoQUtEbU55ZVhCMGIyNWxkM011WTI5dEtBQVAB?ceid=US:en&#038;oc=3\" target=\"_blank\"><\/p>\n<p>                            <svg width=\"20\" height=\"16\" viewBox=\"0 0 20 16\" fill=\"none\">\n                            <path d=\"M19.6 5.36C19.6 5.48 19.6 5.66 19.54 5.78L17.2 12.8V5.6C17.2 4.94 16.66 4.4 16 4.4H12.82L12.52 3.8L11.86 2.36L15.34 3.32L18.58 4.16C19.18 4.28 19.6 4.82 19.6 5.36Z\" fill=\"#FF4131\" \/>\n                            <path d=\"M15.4 0.799997V3.26L11.92 2.3L11.74 1.88C11.44 1.28 10.72 0.979997 10.12 1.22L4.59998 3.38V0.799997C4.59998 0.499997 4.89998 0.199997 5.19998 0.199997H14.8C15.1 0.199997 15.4 0.499997 15.4 0.799997Z\" fill=\"#03A846\" \/>\n                            <path d=\"M12.82 4.4H4.00002C3.34002 4.4 2.80002 4.94 2.80002 5.6V11.42L0.520024 6.5C0.460024 6.26 0.400024 6.08 0.400024 5.9V5.84C0.400024 5.3 0.700024 4.82 1.24002 4.64L4.60002 3.32L10.06 1.22C10.72 0.979997 11.44 1.28 11.68 1.88L11.86 2.3L12.52 3.74L12.82 4.4Z\" fill=\"#FDBD04\" \/>\n                            <path d=\"M17.2 5.59999V14.6C17.2 15.26 16.66 15.8 16 15.8H4.00005C3.34005 15.8 2.80005 15.26 2.80005 14.6V5.59999C2.80005 4.93999 3.34005 4.39999 4.00005 4.39999H16C16.66 4.39999 17.2 4.93999 17.2 5.59999ZM9.40005 9.79999H7.00005V11H7.90005C7.60005 11.36 7.18005 11.6 6.70005 11.6C5.86005 11.6 5.20005 10.94 5.20005 10.1C5.20005 9.25999 5.86005 8.59999 6.70005 8.59999C7.12005 8.59999 7.48005 8.77999 7.78005 9.01999L8.62005 8.17999C8.14005 7.69999 7.48005 7.39999 6.70005 7.39999C5.20005 7.39999 4.00005 8.59999 4.00005 10.1C4.00005 11.6 5.20005 12.8 6.70005 12.8C7.90005 12.8 8.86005 12.08 9.22005 11C9.34005 10.7 9.40005 10.4 9.40005 10.1C9.40005 9.97999 9.40005 9.91999 9.40005 9.79999ZM14.8 7.39999H10.6V8.59999H14.8V7.39999ZM16 9.79999H10.6V11H16V9.79999ZM14.8 12.2H10.6V13.4H14.8V12.2Z\" fill=\"#0284FE\" \/>\n                            <\/svg><br \/>\n                                                                    Follow us on Google News                                    <\/a>\n                                <\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/cryptonews.com\/news\/upbit-finds-critical-wallet-flaw-amid-probe-into-30m-hack\/\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Crypto Journalist Amin Ayan Crypto Journalist Amin Ayan Part of the Team Since Apr 2025 About Author Amin Ayan is a crypto journalist with over four years of experience in the industry. He has contributed to leading publications such as Cryptonews, Investing.com, 99Bitcoins, and 24\/7 Wall St. He has&#8230; Last updated:\u00a0 November 29, 2025 South<\/p>\n","protected":false},"author":1,"featured_media":880729,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2915,89191],"tags":[10753,87394],"class_list":{"0":"post-880728","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-finds","8":"category-upbit","9":"tag-finds","10":"tag-upbit"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/880728","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=880728"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/880728\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/880729"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=880728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=880728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=880728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}