- Upbit discovered a serious wallet flaw during its emergency audit but has not linked it directly to the $30M hack.
- The breach involved irregular Solana-based withdrawals, with authorities probing possible Lazarus Group ties.
- Deposits and withdrawals remain paused as Upbit completes a full security overhaul and pledges to cover user losses.
Upbit has revealed that an internal wallet flaw was discovered during its emergency investigation into the $30 million breach that struck the South Korean exchange this week. While the company says the vulnerability has been patched, it has not confirmed whether the flaw played any role in the hack itself.
Wallet Bug Could Have Exposed Private Keys
In a statement released Friday, CEO Oh Kyung-seok said Upbit engineers uncovered a critical issue in the exchange’s wallet infrastructure that, under certain conditions, may have allowed someone to infer private keys by analyzing on-chain transaction patterns.
Although blockchain data normally reveals nothing about private keys, Upbit said its wallet software contained an implementation bug that sometimes generated weak or predictable signature data. In theory, this could have enabled a sophisticated attacker to reconstruct keys by studying historical transactions.
Upbit emphasized it found the flaw only after launching a full system audit in response to irregular withdrawals from Solana-related wallets on Nov. 27. The exchange stopped short of attributing the theft to the vulnerability.
Losses Total $30M, Broader Review Underway
The exchange confirmed the hack resulted in losses of roughly 44.5 billion KRW (about $30 million), including around $26 million in customer assets. Roughly $1.5 million has already been frozen with the help of blockchain partners and law enforcement.
Upbit has activated its emergency security procedures, suspended deposits and withdrawals, and migrated remaining assets to cold storage while it completes a comprehensive review of all wallet systems. The exchange reiterated that it will fully reimburse users from its own reserves.
“The incident underscores that no security system is ever perfect,” Oh said, pledging infrastructure upgrades and continuous monitoring.
Possible Lazarus Group Involvement
South Korean authorities have launched a formal investigation and are examining possible links to North Korea’s Lazarus Group, which has been tied to multiple major crypto hacks. Early intelligence assessments reportedly consider the group a potential suspect, though Upbit and regulators have not confirmed any attribution.
Upbit — the country’s largest exchange by trading volume — continues to coordinate with law enforcement and blockchain networks to trace and freeze stolen funds. Deposits and withdrawals will remain paused until final security checks are complete.
