On November 27, Upbit, South Korea’s largest cryptocurrency exchange, reported a series of unusual withdrawals on the Solana network, resulting in an estimated $37 million (54 billion KRW) loss. This is considered one of the most serious incidents for the exchange in 2025, forcing Upbit to temporarily suspend all deposit and withdrawal activities for investigation.
Detection of Unusual Withdrawals
-
According to an official statement from CEO Oh Kyung-seok (Dunamu, Upbit’s operator), the suspicious withdrawals occurred at 04:42 AM KST, involving dozens of tokens on Solana.
-
The assets were transferred to unidentified external wallets, outside Upbit’s internal control system.
-
The affected tokens include SOL, 2Z, ACS, BONK, DOOD, DRIFT, HUMA, IO, JTO, JUP, LAYER, ME, MEW, MOODENG, ORCA, PENGU, PYTH, RAY, RENDER, SONIC, SOON, TRUMP, USDC, W – all popular assets held and traded by Upbit users.
Emergency Measures Implemented
-
All deposit and withdrawal services were suspended immediately to protect user assets.
-
All customer assets were moved to cold wallets to prevent unauthorized access.
-
Suspicious transactions were frozen: Upbit is working with token projects and authorities, having successfully frozen approximately $8.18 million (120 billion KRW) of LAYER tokens, while continuing to trace the remaining funds on the Solana blockchain.
-
Comprehensive security checks are being conducted across deposit/withdrawal systems, including Solana, Ethereum, Bitcoin, and other blockchains. Services will only resume once safety is ensured, with progress updates announced publicly.
Commitment to Users
-
CEO Oh Kyung-seok officially apologized to customers, confirming that all losses will be covered by Upbit’s reserve fund, ensuring users bear no financial damage.
-
Upbit released a list of affected wallet addresses to allow community monitoring and reporting of suspicious transactions.
-
The exact attack method and entry point have not yet been disclosed, and it is unclear whether the incident involves a Solana vulnerability, third-party wallet issues, or internal breach. Analysts suggest it is likely a targeted attack on Upbit’s Solana asset management system.
Investigation Cooperation
-
Upbit is collaborating with South Korean authorities, affected token projects, and Solana’s security team to trace the origin of funds.
-
Part of the withdrawn assets has been detected moving through intermediary wallets that had not been seen before.
