On November 27, 2025, South Korea’s largest cryptocurrency exchange, Upbit, confirmed a devastating security breach that resulted in the theft of approximately 44.5 billion KRW ($36 million) in Solana-based digital assets. The attack, detected at 04:42 KST, targeted one of the exchange’s hot wallets on the Solana network, draining more than twenty different tokens in a matter of minutes.
The Exploit Mechanics
The attacker gained access to the private key controlling Upbit’s Solana hot wallet and deployed automated draining scripts that executed hundreds of transfers across unrelated tokens in rapid succession. Among the stolen assets were SOL, USDC, BONK, RENDER, LAYER, JUP, PYTH, ORCA, and TRUMP tokens. The speed and breadth of the operation — draining over twenty distinct token types within minutes — indicates a premeditated attack where the adversary had already mapped the wallet’s holdings and prepared transaction templates in advance.
Blockchain forensic analysis shows that the destination wallets were newly created addresses, a common tactic to reduce traceability. The pattern of transfers across unrelated assets confirms that the breach originated from the hot wallet’s private key being compromised rather than from any vulnerability in the Solana protocol itself. Initial estimates placed the loss at 54 billion KRW, but Upbit revised this to 44.5 billion KRW after adjusting for market prices at the time of the incident.
Affected Systems
The breach was confined to a single Solana-network hot wallet, but the impact was broad. Hundreds of individual token transfers were executed before the exchange could respond. Upbit immediately suspended all Solana deposits and withdrawals, isolated the compromised wallet, and transferred all remaining assets into cold storage.
Approximately 2.3 billion KRW worth of LAYER tokens were successfully frozen through collaboration with the Solaire development team, representing a small but meaningful recovery. At the time of writing, the remainder of the stolen assets sits idle in the attacker’s wallets, though further movements are expected as the adversary attempts to launder funds across chains, likely through cross-chain bridges such as Wormhole before fragmenting into stablecoins.
Bitcoin was trading at approximately $91,285 at the time of the breach, with Ethereum at $3,014 and Solana at $140.85. The broader market showed modest movement, with the incident appearing contained to Upbit’s Solana operations.
The Mitigation Strategy
Upbit has committed to covering all user losses from corporate funds, ensuring that no customers bear the financial burden of the breach. The exchange published Notice ID 5800 with full details of the incident and disclosed all affected wallet addresses to enable industry-wide monitoring.
From a technical standpoint, the incident highlights critical weaknesses in hot wallet architecture. The attacker timed the withdrawal to coincide with a period when the wallet held substantial liquidity — blockchain records show multiple high-value transfers from other Upbit-operated wallets arriving in quick succession before the breach, including individual transfers of $461,080 and $380,760. This suggests the attacker may have been monitoring the wallet’s balance and acted once sufficient value had accumulated.
The attack bears an eerie historical parallel: exactly six years earlier, on November 27, 2019, North Korea’s Lazarus Group hacked Upbit for approximately $50 million. Whether this timing is coincidental or deliberate remains under investigation.
Lessons Learned
The Upbit incident reinforces several critical security principles for centralized exchanges. First, hot wallet balances should be minimized to only what is necessary for immediate operations, with the vast majority of funds held in cold storage. Second, real-time on-chain monitoring systems must be capable of detecting anomalous withdrawal patterns and triggering automatic freezes within seconds, not minutes. Third, private key management for hot wallets requires hardware security modules and multi-signature authorization — a single compromised key should never be sufficient to drain an entire wallet.
For the broader ecosystem, the breach underscores the importance of collaboration between exchanges, token teams, and blockchain analytics firms. The partial freezing of LAYER tokens demonstrates that rapid coordination can yield results, but the industry needs standardized incident response protocols that operate at machine speed.
User Action Required
Upbit users should verify that their accounts show no unauthorized activity and monitor official exchange communications for updates on the Solana withdrawal suspension. Users holding significant balances on any centralized exchange should consider transferring assets to self-custody wallets, particularly hardware wallets, as a general best practice. The incident serves as a stark reminder that even the largest and most established exchanges remain vulnerable to hot wallet compromises.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
draining 20+ token types in minutes means the attacker mapped the wallet layout beforehand. this was planned weeks ahead
The market is finally rewarding fundamentals over hype
airdrop_hunter_ saying market rewards fundamentals on an article about a $36M hot wallet drain is wild. this was a private key compromise not a protocol failure
sol_forensics exactly. blaming solana protocol for a private key compromise is like blaming the road when someone leaves their car unlocked
2.3B KRW in LAYER frozen because the team answered fast. any slower and that was gone too. cold storage shouldnt depend on human response time
2.3 billion KRW in LAYER tokens frozen through dev collaboration. only recoverable because the team was responsive. cold storage should be default not emergency protocol
2.3B KRW in LAYER frozen because the team answered fast enough. if this was a dead project those tokens were gone instantly
44.5 billion KRW revised down from initial 54 billion. even the exchange couldnt accurately assess their own losses in real time. cold storage migration should be automatic not manual
cold storage migration being manual is the real problem. any exchange holding 44.5B KRW in a hot wallet without automatic thresholds is asking for it
This altseason rotation is different — actual utility is driving gains
The rotation from memes to utility tokens has started
Real revenue-generating protocols will outlast the hype coins
draining 20+ different token types in minutes means they had the wallet mapped before the attack. this was reconnaissance not opportunistic