Detecting unauthorized outflows on November 27, 2025, Upbit disclosed that approximately ₩54 billion (about $36 million) was illicitly withdrawn from its Solana hot wallet infrastructure, a compromise that affected at least 24 Solana‑based tokens including SOL, USDC, BONK and JUP, prompted immediate suspension of Solana deposits and withdrawals, and initiated an emergency consolidation of remaining assets to cold storage while forensic and issuer coordination commenced to trace cross‑jurisdictional movements. This initial disclosure emphasized immediate priorities of wallet security and forensic tracing, with exchange engineers undertaking rapid key rotation, segregation of duties, and architectural isolation to limit residual exposure, while external blockchain analytics firms were retained to map transaction flows and identify intermediary custodial endpoints used in apparent laundering sequences. The operational response, described by company statements and independent observers, combined transactional containment with client protection, as Upbit froze affected token operations, executed asset transfers to offline custody, and committed corporate reserves to reimburse users, an approach that preserved customer balances while creating a temporal window for investigative activity across multiple jurisdictions. To further enhance security, Upbit has also accelerated implementation of hardware security keys and multi-signature solutions to protect critical infrastructure. Technical analysis published by third‑party auditors highlighted a systemic weakness in multi‑chain key management, wherein derivation pathways exposed private key material through on‑chain correlates, thereby undermining hot wallet integrity for assets transacted on Solana and related chains, and prompting urgent recommendations for hardened cryptographic isolation and enhanced hardware security module deployment. Transaction monitoring revealed rapid cross‑chain movements and obfuscation tactics, including use of decentralized bridges and fragmented transfers through several exchanges, which complicated traceability despite substantial on‑chain transparency; investigators noted partial recoveries in Switzerland while encountering limited cooperation from certain jurisdictions, underscoring the geopolitical complexity of asset recovery. Attribution assessments, informed by behavioral indicators and historical parallels, suggested involvement of actors with profiles consistent with prior state‑linked campaigns, a conclusion that has intensified regulatory scrutiny and may influence Upbit’s strategic timelines, including potential delays to planned capital market initiatives. The incident advances industry discourse on custody risk, operational resilience, and the necessity for coordinated international forensic tracing capabilities to deter and remediate sophisticated crypto asset exfiltration. New emergency inspection protocols were also reported to have been activated immediately following the detection. Additionally, Dunamu has publicly pledged to reimburse affected customers from company reserves.
