Upbit Suffers Another Attack On The Exact Anniversary Of Its 2019 Hack

South Korea’s largest crypto exchange, Upbit, has reported a $36 million exploit on the Solana network, a breach that unfolded with unsettling precision on November 27 — the exact date the platform suffered its notorious 2019 hack, when 342,000 ETH were siphoned by North Korea’s Lazarus Group.

The coincidence has amplified concerns around Upbit’s long-term security posture, particularly as the old attack would now be valued at over $1 billion.

Upbit said it detected irregular asset transfers at around 4:42 am local time, after a Solana hot wallet began pushing funds to an unauthorized external address. The siphoned assets spanned a wide range of Solana-ecosystem tokens, including SOL, USDC, Jito (JTO), Raydium (RAY), Bonk (BONK), Sonic SVM (SONIC), Access Protocol (ACS), and several smaller meme and DeFi tokens.

The exchange confirmed that the event involved approximately 54 billion KRW and that the compromise was isolated to its hot-wallet infrastructure, with cold-storage reserves remaining secure.

The breach immediately triggered comparisons to the 2019 incident, and its anniversary timing intensified public scrutiny from industry analysts, regulators and long-time Upbit users who still remember the fallout of one of South Korea’s largest exchange hacks.

Upbit Locks Down Transfers and Moves Assets to Cold Storage in Emergency Response

Upbit reacted within minutes of identifying the anomaly, suspending all deposits and withdrawals across the platform while initiating an emergency audit of its entire infrastructure.

Dunamu CEO Oh Kyung-seok said the exchange prioritized asset protection above all else and moved quickly to shift all remaining funds into cold storage to prevent further unauthorized transfers. The company initiated a comprehensive investigation of all networks and wallet systems, extending reviews well beyond the Solana ecosystem to ensure no additional vulnerabilities existed.

The exchange also launched a coordinated on-chain response, tracking the attacker’s wallet activity in real time and collaborating with token issuers and ecosystem partners to freeze stolen assets. Upbit confirmed that it successfully froze roughly 12 billion KRW worth of Solayer (LAYER) during the initial containment effort and is continuing to pursue additional freeze and recovery actions as new information emerges.

South Korean financial authorities have already begun on-site inspections to understand the sequence of events surrounding the breach and assess the broader risks to users. While trading on Upbit remains operational, the exchange said it will only reopen deposits and withdrawals once its systemwide security review is fully complete.

The company emphasized that customer balances will remain untouched throughout the process and pledged to reimburse the entire loss from its own corporate reserves, ensuring no impact on user funds.

Breach Strikes During Naver–Dunamu Megamerger and Upbit’s Push Toward U.S. IPO

The timing of the hack adds a dramatic twist to one of the most consequential corporate transitions in South Korea’s fintech and crypto markets. Just a day before the exploit, Dunamu finalized a $10.3 billion stock-swap agreement to be acquired by Naver Financial, the country’s leading internet giant.

The acquisition is set to make Dunamu a wholly owned subsidiary of Naver, positioning Upbit for a potential U.S. public listing, with a Nasdaq IPO reportedly under consideration.

The merger also outlines a long-term strategy involving nearly $7 billion in joint investment across Web3 technologies and artificial intelligence over the next five years, a plan that had been widely viewed as a major step in consolidating South Korea’s digital finance ecosystem.

The breach now casts a spotlight on Upbit’s ability to navigate global regulatory frameworks as it moves toward international expansion. Despite the heightened scrutiny, Upbit maintains that its financial standing remains intact and that the platform continues to operate securely while investigations proceed.

The exchange reiterated its commitment to full transparency and to restoring deposits and withdrawals in phases once the integrity of its systems is fully verified.