Imagine waking up, checking your exchange balance, and seeing the entire platform frozen. No deposits. No withdrawals. Just a short, apologetic message saying something went horribly wrong overnight. That’s exactly what hundreds of thousands of Upbit users experienced on November 27, 2025.
A hot wallet tied to Solana assets had been drained for roughly 54 billion Korean won – around $36 million at current rates. In the crypto world, that’s not the biggest hack we’ve ever seen, but when it hits the largest exchange in an entire country, the shockwaves travel fast.
Another Exchange Hack – Why Are We Still Surprised?
Let’s be honest for a second. Every few months we get another headline about a breach, a private key leak, or some “abnormal transaction” that empties user funds. Yet somehow we still park billions on centralized platforms and cross our fingers. Upbit’s incident is the latest reminder that hot wallets are convenient until they aren’t.
The exchange detected suspicious movement early Thursday morning, slammed the brakes on all deposit and withdrawal services, and started moving everything they could into cold storage. By the time most users woke up, the damage was already done.
What Actually Got Stolen?
According to on-chain data and the exchange’s own statements, at least 24 different Solana-based tokens disappeared in the attack. We’re talking SOL itself, USDC on Solana, meme favorites like Bonk, newer projects such as Layer and Jupiter, and a long tail of smaller tokens.
Rough breakdown that has surfaced so far:
- SOL and major stablecoins – the biggest chunk
- High-liquidity DeFi tokens (JUP, RAY, etc.)
- Several meme coins that skyrocketed in 2024-2025
- Layer tokens – interestingly, Upbit managed to freeze about 12 billion won of these with project help
That last point is worth pausing on. Freezing assets after a hack is possible with certain tokens that have administrative functions. It’s also a perfect illustration of why “decentralization” isn’t always as pure as the whitepapers claim.
How Did the Attackers Pull It Off?
Upbit has been unusually tight-lipped about the exact vector – which, frankly, is pretty standard operating procedure these days. The official line is that it was an “abnormal withdrawal situation” from their Solana hot wallet infrastructure.
Translation: someone got access to signing keys or exploited a vulnerability in how the wallet was managed. No evidence points to a flaw in Solana’s protocol itself (unlike some past incidents). This looks like classic exchange-side compromise.
In my experience watching these events unfold over the years, the majority of nine-figure exchange losses come down to three things:
- Compromised employee credentials or insider involvement
- Poor key management practices (multi-sig not enforced properly, keys stored on internet-connected systems)
- Social engineering that tricks ops teams into approving massive transfers
We don’t know yet which of these – or something new – applies here. But history isn’t exactly optimistic.
Upbit’s Response: Full Compensation Promised
“To prevent any damage to member assets, the entire amount will be covered by Upbit’s holdings.”
– Official statement from Dunamu CEO
Credit where it’s due: Upbit didn’t hesitate to say they’ll eat the loss completely. That’s a big deal in a country where investor protection has become a political third rail. Korean traders have been burned before; exchanges know they can’t afford to play games with reimbursement anymore.
They’ve already moved remaining assets into cold storage across the board – not just Solana – and are running a full infrastructure audit. Services will come back online chain-by-chain once engineers sign off.
Bigger Picture for Korean Crypto
Timing could hardly be worse. Upbit’s parent company Dunamu is deep into merger talks with tech giant Naver, with whispers of a U.S. IPO afterward. A $36 million hole in the balance sheet isn’t fatal, but it’s embarrassing – and regulators are already circling.
Just weeks ago, Upbit paid a multi-billion-won fine for lax anti-money-laundering controls. Another black eye right now feeds exactly the narrative that domestic authorities want to push: exchanges still can’t be trusted to safeguard customer funds properly.
Expect louder calls for mandatory cold-storage ratios, real-time proof-of-reserves, and maybe even government-run insurance funds. South Korea has been one of the strictest jurisdictions since 2021; this incident will only tighten the screws.
What Should Regular Users Do Right Now?
If you have funds on Upbit – or any centralized exchange for that matter – treat this as your periodic wake-up call.
- Don’t keep more than you’re actively trading on any hot wallet
- Use hardware wallets for anything you’re holding longer than a few weeks
- Enable withdrawal whitelists where available
- Spread exposure across multiple venues (yes, even after this)
- Watch for phishing attempts – attackers often follow up breaches with targeted scams
I’ve said it before and I’ll keep saying it: the only money that has never been hacked is money you control the keys to. Everything else is an IOU with extra steps.
Final Thoughts – This Won’t Be the Last One
Crypto has matured a lot since the wild 2017-2018 exchange collapses. Most big platforms now have insurance funds, better auditing, and quicker response playbooks. Upbit’s promise to make users whole without blinking is proof of that progress.
But the core problem remains unchanged: as long as centralized entities hold private keys on behalf of millions of people, there will be fat targets. And as long as those targets exist, someone, somewhere, is sharpening their tools.
Today it was Upbit’s Solana hot wallet. Tomorrow it could be someone else’s Ethereum vault or a brand-new chain nobody’s stress-tested yet.
The technology keeps improving. The human element? That’s still the weakest link in the chain.
Stay safe out there.
