Upbit Halts Transfers After $36M Solana Hot Wallet Breach, Vows Full Reimbursement
South Korea’s largest cryptocurrency exchange, Upbit, has suspended all deposits and withdrawals after uncovering roughly $36 million in unauthorized withdrawals from one of its Solana hot wallets. The breach, detected in the early hours of Thursday local time, has prompted a full-scale security review across the platform and renewed concerns over centralized exchange security at a critical moment for its parent company, Dunamu.
According to Upbit, the suspicious activity was first identified at around 4:42 am local time (7:42 pm UTC). Once abnormal Solana-network outflows were detected, the exchange immediately halted all on-chain transfers and began a comprehensive inspection of every supported asset. Trading services remain operational internally, meaning users can still buy and sell crypto within the platform, but no funds can currently be moved on or off the exchange.
Upbit emphasized that the incident was confined to a single hot wallet connected to the Solana network. The company stated that its cold wallets—offline wallets designed specifically to protect long-term reserves—were not affected. In response, Upbit rapidly migrated remaining assets from affected hot wallets into cold storage and initiated on-chain measures to freeze or track compromised funds wherever possible.
The exchange has committed to fully compensating any user balances impacted by the breach. Upbit reassured customers that all losses stemming from the hot wallet compromise will be covered from its own reserves, stressing that no client funds will be permanently lost as a result of the incident. Users are not being asked to take any specific action to claim reimbursement; balances will be restored automatically once the internal review is complete.
Despite these assurances, Upbit has not provided a detailed timeline for when deposits and withdrawals will resume. The company has urged customers to remain patient while its security and compliance teams conduct a platform-wide audit and coordinate with domestic financial regulators. Local authorities have reportedly begun on-site inspections to better understand the nature of the breach, the scope of the security failure, and whether existing regulatory requirements were properly met.
The episode has drawn particular attention because it arrived at a pivotal time for Upbit’s parent company, Dunamu. Just one day before the breach, Dunamu announced a headline-grabbing acquisition deal valued at about $10.3 billion with South Korean fintech and technology heavyweight Naver. Under the agreement, Naver Financial will acquire Dunamu through a stock-swap transaction worth roughly 15.1 trillion won. Naver plans to issue more than 87 million new shares to Dunamu’s shareholders, ultimately making Dunamu a wholly owned subsidiary.
This acquisition lays the groundwork for an even more ambitious move: Dunamu’s planned initial public offering in the United States. Following the completion of the merger, Dunamu intends to pursue a US listing, positioning itself as one of the few major Asia-based digital asset companies to test US capital markets at scale. The timing of the security breach, coming immediately after the acquisition announcement and ahead of the planned IPO, raises questions about how investors and regulators will assess Dunamu’s risk management and cybersecurity posture.
Beyond the acquisition and IPO trajectory, Naver and Dunamu have outlined an expansive investment strategy centered on Web3 and artificial intelligence. Over the coming five years, the two companies reportedly plan to deploy nearly $7 billion to build out infrastructure and applications across decentralized technologies and AI-driven services. For that vision to gain traction, however, both firms will need to demonstrate that their core financial and trading platforms can withstand increasingly sophisticated cyber threats.
This is not the first time Upbit’s security has come under fire. In 2019, the exchange suffered a now-infamous breach resulting in the loss of almost $50 million in cryptocurrency, an attack later linked to the North Korean hacking group Lazarus. That incident prompted a significant overhaul of Upbit’s security framework, including a heavier reliance on cold storage and stricter internal controls. The latest hack will likely rekindle memories of that earlier breach and sharpen scrutiny of whether lessons from 2019 were sufficiently implemented and maintained.
The focus on hot wallets is central to understanding what happened. Hot wallets are connected to the internet and are used to facilitate high-frequency, real-time transactions—deposits, withdrawals, and internal transfers. Because they must remain online to ensure liquidity and speed, they are inherently more exposed to cyberattacks than cold wallets, which are kept offline or in air-gapped environments. For exchanges, the key challenge is striking the right balance between operational convenience and security: holding enough assets in hot wallets to meet user demand, but not so much that a breach becomes catastrophic.
In this case, Upbit has been clear that its cold-wallet assets remain intact. That segmentation is a core best practice in the industry and is one reason the exchange can commit to reimbursing customer funds. Yet the simple fact that $36 million could be drained from a single hot wallet underscores how critical operational security, private key management, and real-time monitoring have become for centralized platforms handling billions in digital assets.
From a regulatory and market perspective, the incident may intensify calls in South Korea for stricter standards for exchange security, proof-of-reserves practices, and incident reporting. Authorities have already been working on frameworks covering everything from stablecoins to the custody obligations of financial institutions dealing with digital assets. A high-profile breach at the country’s leading exchange—right as its parent prepares to join a global tech giant and head toward a US IPO—will add urgency to those reforms.
For Upbit’s existing users, the immediate concerns are more practical: when transfers will reopen, whether there will be additional verification steps, and how this might affect their confidence in keeping assets on centralized platforms. In the short term, users are effectively locked into the exchange’s ecosystem: they can trade, hedge, or rebalance within Upbit, but they cannot withdraw funds to personal wallets or other platforms. That dynamic often leads to short-term shifts in liquidity and pricing within an affected exchange but typically normalizes once transfers resume.
Longer term, incidents like this tend to push more sophisticated users to rethink custody strategies. Many traders already keep only active trading capital on exchanges and move long-term holdings into self-custodied cold wallets. Others diversify across multiple platforms to reduce single-point-of-failure risk. While Upbit’s promise of full reimbursement will soften the immediate blow, the psychological impact—a renewed sense that even top-tier exchanges can be vulnerable—may accelerate this trend.
The breach is also a reminder to the broader industry that security is not a one-time investment but an ongoing process. As exchange infrastructures expand to support new chains like Solana, layer-2 networks, and cross-chain bridges, each integration can introduce fresh attack surfaces. Regular penetration testing, on-chain anomaly detection, granular access controls over private keys, and rapid incident-response playbooks are no longer optional; they are foundational requirements for any platform aspiring to operate at global scale.
For Dunamu and Naver, how they handle the aftermath may prove as important as the technical cause of the hack itself. Transparent communication with users, regulators, and potential investors; a clear explanation of what went wrong; and visible, verifiable improvements to security architecture will all influence how much long-term damage this incident inflicts on their reputation. If managed well, it could be framed as a stress test that leads to a stronger, more resilient platform. If handled poorly, it risks casting a shadow over one of the largest fintech deals in South Korean history and complicating a high-profile IPO campaign.
For now, Upbit’s stance is straightforward: transfers are frozen until a full security review is completed; trading remains operational; cold wallets are secure; and all affected user funds will be made whole. The coming weeks—marked by forensic investigations, regulatory oversight, and market reactions—will determine whether that message is enough to preserve user trust at a moment when the company is attempting to transform itself from a regional crypto heavyweight into a global financial technology player.