Emergency audit after the Upbit hack reveals internal wallet flaw

• Upbit patched a wallet flaw after a $30M Solana-related hack.
• Withdrawals were halted, and stolen funds were partly frozen following the attack.
• Authorities probe possible Lazarus Group involvement.

South Korea’s largest cryptocurrency exchange, Upbit, has revealed a serious internal wallet vulnerability while conducting an emergency audit in the wake of a $30 million hack.

The discovery comes as the company continues to investigate irregular Solana-based withdrawals that triggered the security review, raising concerns about potential risks to private keys within the platform’s wallet system.

Flaw discovered after emergency audit

The emergency audit, launched following the detection of abnormal activity on Nov. 26, uncovered a flaw in Upbit’s internal wallet software that could allow attackers to mathematically derive private keys by analysing blockchain transactions.

CEO Oh Kyung-seok, in a published announcement after the audit, explained that while blockchain data is normally public but secure, the company’s own wallet implementation produced weak and predictable signature data, creating the theoretical risk.

Upbit emphasised that the flaw was discovered only after the systemwide review and did not appear to be directly linked to the hack itself.

The exchange has since patched the vulnerability and conducted a comprehensive inspection of all related networks and wallet systems to ensure no further weaknesses remain.

Upbit to cover all losses using its own reserves

The Upbit hack, which resulted in losses totalling roughly 44.5 billion KRW, including approximately 38.6 billion KRW in customer assets, prompted immediate action from the exchange.

Withdrawals were suspended, and remaining assets were moved to cold storage to prevent further losses.

About 2.3 billion KRW of the stolen funds, equivalent to around $1.5 million, has already been frozen.

Oh Kyung-seok described the situation as a reminder that no security system can be considered completely infallible.

Kyung-seok has assured customers that Upbit would cover all losses using its own reserves and pledged to strengthen security measures across the platform.

The exchange has committed to resuming deposits and withdrawals only after the final verification of its wallet systems.

South Korean authorities are investigating the hack

South Korean authorities have launched an investigation into the incident, with early intelligence reports pointing to potential involvement by the North Korea-linked hacking group Lazarus.

While Upbit and regulators have not publicly confirmed this, the company continues to collaborate with law enforcement and blockchain projects to recover and freeze stolen assets wherever possible.

The incident has prompted Upbit to conduct a broader security review of its entire infrastructure.

The exchange noted that irregular withdrawals from Solana-related wallets, including tokens such as ORCA, RAY, and JUP, served as a catalyst for the emergency audit and subsequent vulnerability discovery.

By conducting a full overhaul of wallet systems, Upbit aims to prevent similar breaches in the future.