Upbit Discovers Significant Wallet Vulnerability During Investigation of $30 Million Breach

Upbit, South Korea’s largest cryptocurrency exchange, announced that it discovered and rectified a significant vulnerability in its internal wallet system while probing the recent $30 million theft from the platform.

Key Takeaways:

• Upbit identified and resolved a wallet vulnerability that could have compromised private keys, but it has not verified if it was the cause of the $30M hack.
• The breach resulted in a loss of approximately 44.5 billion won, with around 2.3 billion won already frozen.
• The exchange suspended operations, transferred funds to cold storage, and committed to full reimbursement.

In a statement issued on Friday, Upbit CEO Oh Kyung-seok revealed that engineers detected a flaw in the exchange’s wallet software that might have enabled attackers to deduce private keys by analyzing publicly accessible blockchain information.

Nonetheless, the cryptocurrency firm has not confirmed whether this vulnerability contributed to the breach.

Upbit Reports Internal Wallet Issue May Have Exposed Private Keys

The flaw originated not from the blockchains themselves but from the method by which Upbit’s wallet software generated cryptographic signatures.

The exchange indicated that this issue could have resulted in weak or predictable signing data, allowing a skilled attacker to mathematically reconstruct wallet keys by examining historical transactions.

“We identified and rectified the vulnerability during a thorough review of all related networks and wallet systems,” Oh stated, noting that the company initiated emergency response measures and suspended all withdrawals and deposits until the systems were confirmed secure.

Upbit ceased on-chain activity on November 26 after noticing unusual outflows from its Solana-based hot wallets.

Tokens affected included SOL, ORCA, RAY, and JUP, according to the exchange. Assets were swiftly moved to cold storage while forensic investigations commenced.

Estimated losses reached around 44.5 billion won ($30 million), which included approximately 38.6 billion won ($26 million) in customer assets.

Upbit states that attackers might have deduced private keys by examining user wallet address patterns. If accurate, I suspect that only North Korean hackers (Lazarus) could achieve this. pic.twitter.com/cS4I8okrVb

— Ki Young Ju (@ki_young_ju) November 28, 2025

The exchange confirmed that about 2.3 billion won ($1.5 million) in assets have already been frozen through collaboration with external entities.

Upbit stressed that it has not established a direct connection between the wallet vulnerability and the theft. The issue was identified only during an internal audit prompted by the incident.

“No security system can ever be deemed flawless,” Oh remarked, promising infrastructure enhancements and ongoing transparency as investigations proceed.

The company stated that all affected users would receive full reimbursement from internal reserves. Withdrawals and deposits will remain suspended until final security evaluations are completed.

South Korean Investigation Links Upbit Hack to North Korea’s Lazarus Group

South Korean authorities have initiated an investigation, with local reports citing preliminary intelligence assessments that allegedly associate the breach with North Korea’s Lazarus Group.

This group has previously been connected to cryptocurrency thefts aimed at generating funds for Pyongyang amid ongoing foreign currency shortages.

Officials suspect that this time the hackers may have circumvented core infrastructure by impersonating administrators or compromising internal accounts to authorize the withdrawal.

Upbit continues to collaborate with law enforcement and blockchain projects to freeze and recover assets where feasible, the exchange stated.

This incident occurs at a critical juncture for Upbit’s parent company, Dunamu, which is preparing for a merger with South Korean internet giant Naver ahead of a potential public listing.

The post Upbit Finds Critical Wallet Flaw Amid Probe Into $30M Hack appeared first on Cryptonews.