Upbit Finds Critical Wallet Flaw Amid Probe Into $30M Hack

What Happened

South Korea’s largest cryptocurrency exchange, Upbit, said it uncovered and repaired a serious flaw in its internal wallet system while investigating the recent $30 million theft from the platform.

Upbit found and fixed a wallet flaw that could have exposed private keys, but has not confirmed it caused the $30M hack.

“We identified and addressed the vulnerability during a comprehensive inspection of all related networks and wallet systems,” Oh said, adding that the company activated emergency response protocols and halted all withdrawals and deposits until systems were verified as secure.

“No security system can ever be considered perfect,” Oh said, pledging infrastructure upgrades and continued transparency as investigations continue.

South Korean Probe Points to North Korea’s Lazarus Group in Upbit Hack

South Korean authorities have launched an investigation, and local reports have cited early intelligence assessments that allegedly connect the intrusion to North Korea’s Lazarus Group.

Officials believe this time the hackers may have bypassed core infrastructure by impersonating administrators or compromising internal accounts to authorize the withdrawal.

Market Context

Key Takeaways:

The breach drained about 44.5 billion won, while roughly 2.3 billion won has already been frozen.

Why It Matters

In a statement released Friday, Upbit CEO Oh Kyung-seok disclosed that engineers identified a weakness in the exchange’s wallet software that could have allowed attackers to infer private keys by studying publicly available blockchain data.

Upbit Says Internal Wallet Bug May Have Exposed Private Keys

According to the exchange, the issue may have produced weak or predictable signing data, creating the possibility that a sophisticated attacker could mathematically reconstruct wallet keys by analyzing historical transactions.

Tokens impacted included SOL, ORCA, RAY and JUP, the exchange said. Assets were quickly transferred to cold storage while forensic reviews began.

Details

The exchange halted activity, moved funds to cold storage, and pledged full reimbursement.

However, the crypto firm has not confirmed whether the vulnerability played a role in the breach.

The flaw did not stem from the blockchains themselves but from how Upbit’s wallet software generated cryptographic signatures.

Upbit stopped onchain activity on November 26 after detecting abnormal outflows from its Solana-based hot wallets.

Losses totaled an estimated 44.5 billion won ($30 million), including about 38.6 billion won ($26 million) in customer holdings.

The exchange confirmed that approximately 2.3 billion won ($1.5 million) in funds have already been frozen through coordination with external parties.

Upbit emphasized that it has not established a direct link between the wallet vulnerability and the theft. The issue was discovered only during an internal audit triggered by the incident.

The company said all affected users would be reimbursed in full using internal reserves. Withdrawals and deposits will remain suspended until final security inspections are completed.

The group has previously been linked to crypto thefts aimed at generating revenue for Pyongyang amid persistent foreign currency shortages.

Upbit continues to work with law enforcement agencies and blockchain projects to freeze and recover assets where possible, the exchange said.

The incident comes at a sensitive moment for Upbit’s parent company, Dunamu, which is preparing for a merger with South Korean internet giant Naver ahead of a potential public listing.