Upbit has confirmed it found a critical flaw in its internal wallet system while investigating the $30 million hack that hit the exchange earlier this week. The company says the bug could have allowed attackers to derive private keys by analyzing past wallet activity. It remains unclear if the flaw was used in the breach.
Upbit said the issue was discovered during an emergency audit launched after suspicious withdrawals were detected on November 27. The flaw was found in the exchange’s wallet software. According to Upbit, the vulnerability could have let someone analyzing blockchain data uncover private keys tied to wallets.
CEO Oh Kyung-seok said in a translated statement,
“We identified a security vulnerability in our system that could have allowed someone analyzing publicly visible Upbit wallet transactions on the blockchain to infer private keys.”
Upbit explained that its system generated weak or predictable signature data. While public blockchain data should not reveal private keys, the flaw may have allowed someone to reverse-engineer that data using past transactions.
Exchange Suspends Activity and Fixes the Flaw
Following the discovery, Upbit paused all deposits and withdrawals. The team activated an emergency protocol and began a full review of wallet and network infrastructure.
“We identified and addressed the vulnerability during a comprehensive inspection of all related networks and wallet systems,” Oh said.
Upbit moved remaining funds to cold storage and patched the system.
The exchange confirmed that the breach led to losses worth about 44.5 billion KRW, or $30 million. Around $26 million belonged to customers. Roughly $1.5 million of the stolen funds have been frozen. Upbit said it will cover all user losses from its own reserves.
Broader Security Review Underway
Upbit is now conducting a full audit across its systems. The company said deposits and withdrawals will stay suspended until security checks are completed. It plans to release public updates throughout the process.
The exchange admitted the breach exposed gaps in its infrastructure. It said upgrades are being made to strengthen its systems and prevent similar issues in the future.
“No security system can ever be considered perfect,” Upbit stated in the notice.
Authorities Look Into Possible Lazarus Group Link
On November 26, Upbit halted activity after detecting unusual withdrawals involving Solana-based tokens. These included SOL, ORCA, RAY, and JUP. The company then moved all assets to cold storage and began replacing its wallet setup.
South Korean authorities have opened a formal investigation. They are also reviewing whether the Lazarus Group, a North Korea-linked hacking group, may be connected to the attack.
Upbit operates under parent company Dunamu, which is preparing for a planned merger with tech firm Naver. The company has not confirmed the source of the attack, and investigations are still ongoing.
