South Korea’s largest cryptocurrency exchange, Upbit, is restarting deposits and withdrawals after halting operations due to a major security breach on November 27.
Key Takeaways
- Upbit resumes crypto wallet services from December 1 at 1 PM KST, following a $36.8 million theft involving Solana-based assets.
- The North Korea-linked Lazarus Group is suspected of orchestrating the attack, which targeted over 20 Solana network tokens.
- Upbit will reimburse all user losses from corporate reserves, ensuring no customers are financially affected.
- New deposit addresses are required for all users, with phased resumption depending on each asset’s security inspection status.
What Happened?
On November 27, 2025, Upbit detected unauthorized withdrawals from its hot wallets, prompting the immediate suspension of all deposit and withdrawal functions. The breach resulted in the theft of roughly 54 billion Korean won (around $36.8 million USD) in Solana (SOL), USDC, and other Solana ecosystem tokens such as BONK, JUP, RAY, ORCA, RENDER, PYTH, and TRUMP.
The exchange confirmed it will begin restoring services in phases starting December 1 at 1 PM KST, prioritizing assets that have cleared wallet system inspections and security checks.
Lazarus Group Suspected in Sophisticated Cyberattack
South Korean authorities strongly suspect the Lazarus Group, a North Korean state-sponsored hacking team, was behind the attack. This suspicion is based on similarities with a previous 2019 hack that saw 342,000 ETH stolen from Upbit. Government officials believe the group either compromised administrator accounts or impersonated them to authorize suspicious transfers.
Blockchain analysts noted that after acquiring the funds, the hacker swapped stolen SOL for USDC and moved the assets to Ethereum, a method likely intended to mask the origin of the funds.
According to security firm Immunefi, Lazarus was responsible for over $300 million in crypto hacks in 2023 alone, accounting for nearly 18% of all losses that year.
Immediate Action and Recovery Measures
Following the breach, Upbit moved all remaining assets to cold storage to secure user funds and successfully froze $8.18 million worth of LAYER tokens, rendering a portion of the stolen assets useless to attackers.
The company emphasized that it will cover 100% of user losses from its own reserves, a point reiterated by CEO Oh Kyung-seok, who assured users that “no customer will suffer personal losses.”
Service Restoration and Address Changes
Upbit’s restoration will begin with tokens on networks like Akash (AKT) and Ethereum assets including 1INCH, AAVE, and ADT. The platform has warned users that existing deposit addresses are no longer valid. Any attempt to use old addresses could lead to processing delays.
The exchange urged users to verify and update their deposit addresses for every asset and to delete any Upbit addresses stored in personal wallets or on other exchanges.
The resumption of deposit and withdrawal functions will be gradual, with no specific timeline provided for when all tokens will be available again. Users were able to continue trading during the suspension, but could not move assets in or out of their accounts during that time.
Regulatory Oversight Underway
South Korea’s Financial Supervisory Service (FSS) has launched an on-site inspection of Upbit, expected to continue until December 5. The regulatory body aims to assess the platform’s internal controls and incident response to strengthen investor protections and prevent future breaches.
The hack occurred just one day after Naver Financial announced a 15.1 trillion won ($10.3 billion) all-stock acquisition of Dunamu, Upbit’s parent company. The merger is scheduled for completion in June 2026.
CoinLaw’s Takeaway
Honestly, I think Upbit handled this crisis better than most exchanges ever have. In my experience, covering user losses immediately from corporate reserves is a strong move that rebuilds trust fast. The fact that they acted quickly, froze some assets, and are cooperating with regulators shows real maturity in a market often plagued by slow responses. I found the requirement to update deposit addresses a bit of a hassle, but it’s a smart security move given the circumstances. If you’re an Upbit user, this is your reminder to check and update your wallet info ASAP.
