Stay connected with BizTech Community—follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.
On November 27, 2025, hackers broke into Upbit, South Korea’s biggest cryptocurrency exchange, and stole almost 54 billion Korean won ($36.8 million) worth of Solana-based assets from its hot wallets. At 4:42 a.m. KST, the issue was discovered. It involved unlawful withdrawals of tokens like SOL, USDC, BONK, JUP, RAY, RENDER, ORCA, PYTH, and more than 20 others.
This was the exchange’s second major hack in six years, and it happened on the same day as its 2019 Ethereum heist. Upbit quickly stopped all deposits and withdrawals, shifted assets to cold storage, and promised to fully reimburse customers from corporate reserves, making sure that no customers lost money. Authorities in South Korea think the infamous North Korean Lazarus Group is behind the attacks, and investigations suggest that admin credentials were stolen.
This hack, which happened during a $10.3 billion merger with Naver, shows that centralized platforms are still vulnerable, even if crypto is supposed to be decentralized. The exchange is doing emergency audits and freezing $8.2 million in stolen LAYER tokens.
Details of the Breach and Immediate Response
The attack happened quickly. At 4:42 a.m., Upbit’s monitoring systems saw strange outflows from Solana hot wallets, with money being sent to unknown external addresses. The stolen items were worth about $36.8 million at the time and included significant Solana ecosystem tokens such stablecoins like USDC and meme coins like BONK and MOODENG. CEO Oh Kyung-seok said in a public apology, “We will cover the full amount lost with Upbit’s own assets so that customers are not affected in any way.”
Upbit acted quickly: all deposit and withdrawal services were stopped across the platform, not only Solana, to stop things from getting worse. The assets were moved to safe cold storage. The exchange worked with token issuers and blockchain analytics companies to track down and freeze assets, successfully locking up $8.2 million in LAYER tokens. There is a full security review going on, and phased resumptions will resume on December 1, 2025, at 1 p.m. KST for networks that are not Solana.
This is Upbit’s first big problem since November 27, 2019, when hackers linked to Lazarus stole 342,000 ETH, which was worth $50 million at the time and is now worth more than $1 billion. The 2025 breach happened just hours after Dunamu announced its $10.3 billion merger with Naver, which led to speculation that it was a planned attack, but there is no proof of this.
The Lazarus Group in North Korea is a likely suspect
According to Yonhap News, South Korean officials are very suspicious of the Lazarus Group, which is North Korea’s state-sponsored hacking group that steals billions of dollars in cryptocurrency to pay for government activities. The 2025 attack is similar to the 2019 attack in that it used compromised admin credentials or impersonation to get into hot wallets, avoiding direct infrastructure compromises. Lazarus is behind Ronin’s $625 million heist in 2022 and Harmony’s $100 million loss in 2022. He commonly uses mixers and over-the-counter trades to wash money.
Investigators said that the date (precise anniversary) and execution are comparable, and the money was given out in a way that made it hard to find. The Financial Supervisory Service (FSS) and the Korea Internet & Security Agency (KISA) sent people to check on AML compliance. “This has Lazarus fingerprints—sophisticated, state-backed,” a government source told Yonhap.
There is no official word yet, but Chainalysis thinks that North Korea stole $1.5 billion in cryptocurrency in 2025 alone to fund its nuclear operations. Upbit’s $36.8 million loss isn’t as bad as this, but the breach’s size—second-largest in 2025 after Bybit’s $1.5 billion intrusion in February—makes people even more worried.
Effect on the market and reassurance for users
The crypto markets were down for a short time: Bitcoin dropped 1% to $115,000, and Solana dropped 3% to $140. Upbit’s trading stopped for a short time because of its $2 billion daily volume, but the exchange promised to fully repay customers, which was different from FTX’s collapse in 2022.
Upbit said, “Member assets are safe; losses will be covered by reserves.” The $36.8 million hit (0.37%) is tolerable because the company has $10 billion in assets under its control. However, the company’s reputation is still hurt by the Naver merger examination. After the news, Dunamu shares fell by 5%.
On X, there were conflicting reactions: @CryptoKorea told people to stay calm (“Upbit strong—full cover”), while @HackWatchKR said Lazarus was getting back at the US for sanctions.
More general effects on the security of cryptocurrencies
This is the second Upbit breach in six years, and it shows that centralized exchanges have a weak spot: hot wallets for liquidity are still the main target, even though cold storage has been more popular since 2019. Chainalysis says that Lazarus has stolen more than $3 billion since 2017. This shows that nation-states are a concern, since the UN says that 50% of North Korea’s weapons are bought with cryptocurrency.
It’s funny for DeFi that Hyperliquid and dYdX brag about on-chain transparency, yet CEXs like Upbit handle 90% of the volume. The U.S. CFTC wants to keep a watch on perp trading, while South Korea’s FSC wants stronger limits on hot wallets.
Users learn to use different exchanges, hardware wallets, and two-factor authentication. Upbit’s phased restart on December 1 puts security first. This is a lesson for a $4 trillion market.
Conclusion
The $36.8 million Solana hack on Upbit, which is thought to be the work of Lazarus on the anniversary of the 2019 hack, shows that CEX is weak during the $10 billion Naver merger. Full refunds and freezes ($8.2M in LAYER) help with the damage, but trust is fading as phased resumptions get closer. For crypto, this is a clear warning: decentralization promises security, but centralized points fail. As investigations continue, exchanges must strengthen—or they risk losing customers to real DeFi.
