South Korea’s largest cryptocurrency exchange, Upbit, confirmed that approximately 54 billion Korean won ($36.9 million) worth of Solana-based assets were transferred to an unauthorized wallet address in the early hours of November 27, 2025. The breach represents the most significant security incident at the exchange since the infamous 2019 Ethereum theft, and it has sent shockwaves through the Asian crypto market at a time when Bitcoin trades near $90,850 and Ethereum hovers around $2,990.
The Exploit Mechanics
At approximately 04:42 KST on November 27, Upbit’s internal monitoring systems detected abnormal outflows from its Solana hot wallet infrastructure. The unauthorized transfers encompassed a broad range of Solana ecosystem tokens, including SOL, USDC, BONK, JUP, RAY, RENDER, ORCA, and PYTH. The diversity of tokens targeted suggests the attacker gained access to the hot wallet’s private keys rather than exploiting a specific smart contract vulnerability.
The timing of the breach proved particularly sensitive, occurring mere hours after Upbit’s parent company Dunamu finalized a high-profile merger deal with Naver’s fintech arm, Naver Financial. Dunamu CEO Oh Kyung-seok addressed the incident during a joint press conference, assuring the public that the exchange would cover the full amount lost using its own assets to ensure no customer funds would be impacted.
Affected Systems
Upbit immediately suspended all Solana network deposit and withdrawal services upon detecting the breach, implementing emergency inspection protocols across its infrastructure. The hot wallet system, which maintains a portion of exchange assets in online-connected storage to facilitate rapid trading, was the sole component compromised. Cold storage reserves, holding the vast majority of customer funds, remained untouched throughout the incident.
The affected tokens paint a picture of an attacker with intimate knowledge of the Solana ecosystem’s most liquid assets. SOL remains the network’s native token, while USDC represents the dominant stablecoin on Solana. BONK, JUP, RAY, RENDER, ORCA, and PYTH collectively represent billions in daily trading volume across decentralized and centralized exchanges.
The Mitigation Strategy
Upbit’s response followed established incident response protocols. The immediate suspension of Solana network services prevented further unauthorized withdrawals while security teams conducted a comprehensive forensic analysis. Dunamu committed to full reimbursement from corporate assets, a move that underscores the financial reserves maintained by South Korea’s dominant exchange operator.
Security researchers note that the 2025 incident shares similarities with the 2019 breach, which saw approximately 340,000 Ethereum tokens worth 58 billion won stolen from Upbit. In that earlier case, the exchange similarly absorbed the losses entirely without passing costs to customers. However, the recurrence after six years raises questions about hot wallet security evolution at major exchanges.
Lessons Learned
The Upbit breach highlights the persistent vulnerability of hot wallets, regardless of an exchange’s size or resources. Even as cold storage technology has advanced significantly, the operational necessity of maintaining liquid hot wallets for real-time trading creates an unavoidable attack surface. The incident also demonstrates that multi-token ecosystems like Solana amplify risk, as a single compromised private key can expose dozens of distinct assets simultaneously.
For the broader market, the breach arrives during a period of relative stability, with Bitcoin holding firm above $90,000 and total crypto market capitalization exceeding $2.6 trillion. The measured market response suggests growing maturity among traders, who appear to differentiate between exchange-specific security incidents and systemic protocol risks.
User Action Required
Upbit users should monitor official communications from the exchange regarding the resumption of Solana network services. Those with significant Solana-based holdings on any exchange should consider transferring assets to personal hardware wallets as a precautionary measure. Users should also enable all available security features, including two-factor authentication and withdrawal whitelist restrictions, to minimize exposure to potential follow-on attacks.
This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making trading decisions.
54 billion won in Solana tokens stolen because of a hot wallet. cold storage exists for a reason people
hot wallets are necessary for liquidity but $36M in a single hot wallet is negligent. tiered hot wallets with $5M caps would have limited the damage
Dunamu CEO covering losses from company assets is the right move. but this is the second major breach. trust doesnt survive too many of these
the attacker knew the Solana ecosystem well. SOL, BONK, JUP, RAY, RENDER, ORCA, PYTH… thats every major token
the attacker hitting SOL BONK JUP RAY RENDER ORCA PYTH means they had full private key access not a specific token exploit. inside job or key compromise
hot_cold_split the token list is basically every major Solana ecosystem project. whoever did this knew exactly what they were grabbing
Naver Financial closes the Dunamu acquisition and hours later the exchange gets hacked. terrible optics for everyone involved
naver finalizes the dunamu acquisition and within hours the exchange gets drained for 54 billion won. the timing is almost too perfect
Dunamu covering losses from company assets is good for users but raises questions about their reserve adequacy going forward. second major breach since 2019