South Korea’s cryptocurrency giant, Upbit, has been struck by a significant security breach, resulting in the loss of approximately 44.5 billion won ($32 million) in Solana and ecosystem tokens.

Anatomy of the Breach

In the early hours of November 27, 2025, Upbit’s security systems flagged abnormal withdrawal patterns originating from its Solana (SOL) hot wallet. The unauthorized activity began around 04:42 KST, prompting an immediate suspension of all deposits and withdrawals across the platform.

Breach Snapshot

Time: Nov 27, 2025, 04:42 KST
Asset: Solana (SOL) & SPL Tokens
Estimated Loss: ₩44.5 Billion (~$32M USD)
Status: Withdrawals Suspended

Immediate Response and User Safety

Dunamu, the operator of Upbit, moved swiftly to contain the damage. Remaining assets were transferred to cold storage to prevent further unauthorized access. CEO Oh Kyung-seok issued a formal apology, reassuring the community regarding user funds.

All customer balances will be fully covered using Upbit’s own assets. No user is expected to take a direct financial hit from this incident.

While spot trading continues, the exchange has made it clear that deposit and withdrawal services will only resume once the security of each asset and network is fully verified.

Digital illustration of a cyber security breach on a blockchain network
Forensic analysis reveals assets being split and funneled through multiple unknown wallets.

A Grim Anniversary

The timing of this attack has sent shockwaves through the Korean crypto community. By a disturbing coincidence, this breach occurred exactly six years to the day after Upbit’s massive 2019 hack.

On November 27, 2019, the exchange lost 342,000 ETH (valued at roughly 58 billion won at the time) in an attack later attributed to North Korean state-sponsored actors. While the technical vectors differ—switching from Ethereum in 2019 to Solana in 2025—the date suggests a potential coordinated effort or a symbolic target by malicious actors.

Impact on the Solana Ecosystem

The breach wasn't limited to native SOL. The attackers drained a roster of Solana-ecosystem tokens, funneling them into dozens of unknown addresses. On-chain analysis shows complex laundering techniques, with funds being split rapidly to obfuscate the trail. Currently, most affected funds sit in external wallets beyond the exchange's control, with investigations ongoing.