Upbit, South Korea's largest crypto exchange, faced a significant security breach on Thursday morning. However, the initial message was intended to quell user panic: Upbit will fully cover the 54 billion won loss. The exchange quickly detected anomalous outflows from its hot wallet on the Solana network, froze transactions, moved assets to cold wallets, and entered emergency security mode system-wide.
The incident unfolded at 4:42 AM with transactions sent to an unauthorized external wallet on the Solana network. Investigations indicate that the attack was not random, but rather a breach that directly targeted the hot wallet address.
Full list of stolen tokens released
Upbit has released a comprehensive list of the tokens seized in the attack. Accordingly, the breached Solana ecosystem assets include:
2Z, ACS, BONK, DOOD, DRIFT, HUMA, IO, JTO, JUP, LAYER, ME, MEW, MOODENG, ORCA, PENGU, PYTH, RAY, RENDER, SOL, SONIC, SOON, TRUMP, USDC, and W.
The broad range of tokens, spanning both meme coins and DeFi protocols, suggests that the attack involved sophisticated targeting focused on the Solana ecosystem.
Upbit's First Step: Freezing, Monitoring, and Full Restitution
The exchange suspended all deposits and withdrawals on the Solana network minutes after the attack was discovered. System-wide assets were transferred to cold wallets, and security reviews were initiated. Upbit announced that its on-chain analysis teams are tracking the attacker and that freezing efforts are ongoing with the relevant token projects.
Most notable of these steps is the successful freezing of approximately 12 billion won in LAYER tokens. Monitoring of the remaining assets continues.
Dunamu CEO Oh Kyung-seok clarified the most pressing issue for users in his announcement: “All losses will be covered by Upbit’s own assets. There will be no loss in user balances.”
The most critical security challenge since 2019
The incident occurred almost exactly six years after Upbit suffered a November 2019 hack that stole 342,000 ETH. While no direct connection between the two events appears to be present, the timing and the widespread impact on the Solana ecosystem have revived security debates.
This attack also demonstrates how quickly a large-scale Solana-based hot wallet breach can spread across a centralized exchange.
Crisis amid Naver deal
The attack occurred at a critical juncture, as the planned acquisition of Upbit’s parent company, Dunamu, by Naver Financial in a stock swap deal worth approximately $10.3 billion was underway. This merger is seen as a major transformation in South Korea’s tech-economy ecosystem. Therefore, a security breach occurring during this period has increased pressure on both regulators and institutional investors. Upbit's decision to seek full compensation aims to alleviate this pressure.
The exchange announced that deposits and withdrawals on the Solana network will be gradually reactivated once all security checks are completed. The technical aspects of the investigation are not yet clear, but it is suspected that the hot wallet private key may have been compromised.
Upbit's swift action and announcement that it would fully cover the losses largely mitigated the risk of panic among users.
