Upbit says emergency audit of $30M hack uncovered internal wallet flaw that could let attackers derive private keys

Upbit said it uncovered and patched a serious vulnerability in its internal wallet system while conducting an emergency investigation into the $30 million theft that hit the South Korean exchange earlier this week — but it remains unclear if the flaw was connected to the hack.

According to a translation of a company statement on Friday, CEO Oh Kyung-seok said the exchange identified "a security vulnerability in our system that could have allowed someone analyzing publicly visible Upbit wallet transactions on the blockchain to infer private keys," referring to the cryptographic credentials that control access to funds.

While normal blockchain data does not reveal private keys, it appears Upbit's own wallet software had a flaw that produced weak or predictable signature data, meaning an attacker analyzing the crypto exchange's past onchain transactions could mathematically reconstruct certain wallet private keys due to a serious implementation bug on Upbit's end.

The exchange did not link the vulnerability to the breach directly and said the issue was discovered only after Upbit began a systemwide review following irregular withdrawals from its Solana-related wallets on Nov. 27.

"We identified and addressed the vulnerability during a comprehensive inspection of all related networks and wallet systems," Oh said, adding that the company had activated an emergency response system and suspended all deposits and withdrawals until its infrastructure is fully verified as secure.

According to the notice, Upbit confirmed the hack resulted in losses totaling approximately 44.5 billion KRW or roughly $30 million, including 38.6 billion KRW worth an estimated $26 million in customer assets. About 2.3 billion KRW ($1.5 million) of stolen funds have already been frozen, the firm added.

Upbit is now conducting a broader security review across its infrastructure, noting the incident serves as a reminder that "no security system can ever be considered perfect," pledging deeper upgrades to prevent future breaches.

The crypto exchange said it will provide ongoing public updates and will resume deposits and withdrawals once its wallet systems complete final security checks. The platform has committed to covering all customer losses using its own reserves.

Authorities investigating Lazarus Group involvement

On Nov. 26, the crypto exchange halted withdrawals immediately after detecting abnormal Solana-based outflows, including tokens such as SOL, ORCA, RAY, and JUP, among others.

It subsequently moved remaining assets to cold storage and began a full wallet overhaul.

Upbit is South Korea's largest exchange by trading volume, operating under parent company Dunamu, which is currently preparing for a merger with internet conglomerate Naver ahead of a potential public market listing.

South Korean authorities have also opened an investigation into the incident.

As The Block reported Thursday, local media outlets have cited early intelligence assessments suggesting North Korea's Lazarus Group may be a suspect. However, Upbit and regulators have not publicly confirmed attribution.

Upbit said it continues to coordinate with law enforcement and blockchain projects to freeze and recover stolen assets where possible.