Upbit, South Korea's dominant cryptocurrency exchange, suffered unauthorized withdrawals totaling approximately $36.9 million (54 billion won) early Thursday morning, marking the second time the platform has been breached on November 27.
The exchange detected unusual activity at 4:42 a.m. local time when Solana-linked assets moved to an unidentified wallet address. Dunamu CEO Oh Kyung-seok disclosed the breach during a press conference at 12:33 p.m., just hours after the company had announced its merger with Naver Financial.
Upbit’s Six-Year Anniversary of $50 Million Ethereum Theft
The timing raised immediate concerns among security analysts. Exactly six years earlier, on November 27, 2019, Upbit lost 342,000 Ethereum tokens worth approximately $50 million in what authorities later confirmed was an attack by North Korean hacking groups Lazarus and Andariel. At the time of that theft, Ethereum traded around $146 to $149 per coin, putting the haul at roughly 58 billion won.
The 2019 stolen Ethereum would be worth significantly more today - approximately $1.04 billion at current prices. South Korean investigators eventually determined that the attackers converted 57% of the stolen funds through three cryptocurrency exchanges they controlled, while laundering the remainder through 51 exchanges across 13 countries.
Cryptocurrency exchanges generally face a difficult environment. More than two years ago, the exchange reported that in just the first half of 2023, there were 159,000 attempted hacks against its systems. Its proximity to North Korea and the presence of the Lazarus hacking group in the region add to the risks.
Since the start of this year, cybercriminals from communist North Korea are estimated to have stolen more than 2 billion dollars’ worth of cryptocurrencies.
Hot Wallet Compromise Triggers Platform Freeze
“Exchanges are obviously massive honeypots for hackers," said Trezor CEO, Matěj Žák. "Independent reports estimate that more than 2.5 billion dollars has already been stolen in 2025, including a single 1.5 billion dollar breach on the Bybit exchange. And since security is a moving target, this problem is not going away."
Thursday's breach affected multiple Solana-based tokens including SOL, USDC, BONK, JUP, RAY, RENDER, ORCA, and PYTH. The company confirmed the intrusion was limited to hot wallet storage, with cold wallet reserves remaining secure. Upbit immediately moved remaining assets into cold storage and suspended all deposit and withdrawal services across the platform as a precautionary measure.
- South Korea's Crypto Exchange Upbit Faces Suspension Over KYC Violations
- Upbit Owner Dunamu’s Profits Plunge 81% in Q3, Cites Global Economic Slowdown
- Upbit's Singapore Entity Gets In-Principal Approval for MPI License
"We will fully cover the loss with Upbit's own assets so that customers are not affected in any way," the company stated, assuring users no action would be required to recover their funds. Trading continues to function normally on the platform, though users cannot move assets on or off the exchange during the ongoing security review.
Breach Comes Day After $10 Billion Naver Deal
The hack arrived at a delicate moment for Dunamu. Just one day earlier, the company finalized a $10.3 billion stock-swap merger with Naver Financial, creating one of South Korea's largest digital finance entities. Under the agreement, Naver Financial will issue 87.5 million new shares at a 1:2.54 ratio, making Dunamu a wholly owned subsidiary.
South Korean financial authorities have launched on-site inspections to assess the situation. The repeated breach on the same calendar date, combined with North Korean involvement in the previous attack, has sparked speculation about the perpetrators behind the latest incident.
