The 15-hour delay and minimal freeze attracted a lot of criticism from security experts who say quick intervention is crucial in active exploits. Upbit has since shifted 99% of customer assets to cold storage as investigators probe links to North Korea’s Lazarus Group. At the same time, Binance faced another security issue when newly appointed co-CEO Yi He had her long-abandoned WeChat account hijacked and used to promote a scam token. The takeover was very similar to a recent breach involving Justin Sun.
Investigators Question Binance Response in Upbit Hack
Korean investigators say Binance froze only a small fraction of the crypto that was stolen in last month’s Upbit hack. According to local reports, authorities urgently requested that Binance halt the movement of roughly 470 million won (about $370,000) worth of Solana traced to the hackers. However, the exchange ultimately froze just 80 million won (about $75,000), or around 17% of the assets flagged for action.
The freeze was confirmed roughly 15 hours after the initial request. This delay attracted a lot of criticism from security experts and people in the crypto industry.
Analysts monitoring the breach say the attackers used a complex laundering pattern immediately after the Nov. 27 exploit against Upbit’s systems, and quickly dispersed the stolen crypto across more than a thousand wallets. The funds were broken into smaller units, moved through multiple blockchains, and routed via token bridges and swaps to obscure their origin.
Despite these evasive maneuvers, investigators say the majority of the laundered tokens eventually flowed into service wallets on Binance. That funneling of funds made Binance’s intervention critically important, which only heightened the scrutiny of why the platform acted on only a small portion of the assets identified by police and Upbit.
When questioned by Korean broadcaster KBS, Binance declined to share details about why the freeze was limited or delayed. The exchange said only that it continues to cooperate with authorities “in accordance with appropriate procedures.” That explanation did not ease concerns in South Korea at all.
Cho Jae-woo, director of Hansung University’s Blockchain Research Institute, said rapid and decisive freezes are essential when it comes to preventing large-scale losses and argued that exchanges sometimes hesitate due to litigation risks. He suggested that the industry should explore the creation of a global emergency hotline or coordinated authority with the power to impose immediate freezes during crisis situations.
The breach also pushed Upbit to implement some of the strictest security measures in the industry. After the hackers stole 44.5 billion won (about $30 million) from the exchange’s Solana hot wallet, operator Dunamu announced that 99% of all customer assets will now be held in cold storage, up from an already high 98.33% at the end of October. Hot wallet exposure is being reduced to nearly zero, which is well beyond South Korea’s legal requirement of 80% cold storage.
Authorities are continuing to investigate the hack, and early intelligence assessments suggest the attack may be linked to North Korea’s Lazarus Group.
New Binance Co-CEO WeChat Account Hijacked
Interestingly, Binance’s newly appointed co-CEO and co-founder Yi He revealed on X that her WeChat account was hijacked after an old mobile number connected to the account was reassigned. She said the account had been abandoned for years and could not initially be recovered, but Binance later confirmed it regained access by working with WeChat’s security team. Blockchain analytics platform Lookonchain reported that the attackers used the compromised account to promote a token called Mubarakah, inflated its price and profited an estimated $55,000.
X post from Yi He
The incident took place just days after Yi He’s elevation to co-CEO, following an announcement by Binance CEO Richard Teng at Binance Blockchain Week in Dubai. It also comes after Tron founder Justin Sun experienced a similar WeChat compromise in November.
After the latest hack, SlowMist founder Yu Xuan resurfaced a detailed explanation of how WeChat account takeovers can occur, and pointed out that attackers with leaked credentials can seize an account by contacting only two “frequent contacts.” These contacts may include people who were never directly messaged but were added as friends or briefly interacted with in groups. China’s practice of reissuing unused mobile numbers after three months also increases the risk by enabling SIM-linked recovery exploits and social engineering opportunities.
X post from Changpeng Zhao
Xuan advised high-profile crypto figures to avoid adding unknown contacts, rotate passwords regularly, and respond immediately to login alerts. Binance co-founder Changpeng Zhao also reminded users that he has not used WeChat in a long time and warned that he would never promote meme coin contracts there. The warning comes months after BNB Chain’s official X account was hacked and used to post phishing links.
Source: https://coinpaper.com/13074/binance-under-fire-after-freezing-just-17-of-upbit-hack-funds