Upbit Halts Solana Withdrawals After $37M Hack – How Safe Are Hot Wallets in 2025?

South Korea’s largest and one of the best crypto exchanges, Upbit, has been hit by yet another major crypto security breach, as $36.8 million (roughly 54 billion KRW) was transferred to an unauthorized external address. As a result, the exchange has halted all Solana (SOL) based withdrawals and deposits while pledging to refund all affected customers from its reserves.

On-chain data of transfers from Upbit to unauthorized external addresses. Source: Lookonchain Official X Account

What has truly shocked the crypto community, however, isn’t the scale of the breach but the timing. The incident comes exactly six years after Upbit’s notorious hack, where 342,000 ETH, worth nearly $50 million at the time, was drained from its hot wallet in a theft that South Korea later attributed to North Korean hackers. Now, the déjà vu has reignited a debate many believed was long settled regarding the safety of hot wallets to protect user funds against hacks.

The “Déjà Vu” Hack: What Happened This Time?

The alarm was raised when Upbit’s automated monitoring systems flagged a series of unusual withdrawals. Unlike typical user activity, these transactions were fast, high-volume, and directed toward a previously unknown crypto wallet address, a sharp reminder of why platforms like the Digitap crypto exchange emphasize continuous crypto wallet monitoring and risk controls.

According to an emergency statement by Dunamu, the operator of Upbit, the breach specifically targeted the exchange’s Solana hot wallet. The attackers managed to siphon a diverse basket of Solana-based coins, including Solana (USD), USDC, TRUMP, BONK, Raydium (RAY), and Access Protocol (ACS), among others.

Although the company reassured all affected customers by promising to refund all stolen coins from its treasury, the market reaction was swift. Solana’s price dipped by 4% in the hours following the crypto news, and other altcoins were affected. However, the market has since recovered.

The Ghost of 2019 Continues to Haunt

For veteran crypto traders, November 27 carries a heavy significance. Exactly six years ago, Upbit suffered a similar fate and what could be described as its most devastating blow. Hackers breached the exchange’s Ethereum hot wallet and parted with 342,000 ETH. At the time, the stolen Ether was valued at roughly $50 million; today, the haul is worth billions. ‘

In their investigative report, the United States and the FBI attributed the 2019 attack to a state-sponsored cybercrime syndicate known as the Lazarus Group. The incident forced Upbit to suspend services for weeks and led to a massive overhaul of South Korean crypto regulations.

The fact that a similar incident is happening to the same company on the sixth anniversary of the previous episode has got many talking and asking: could this be a coincidence or a taunt?

While investigations are still ongoing and it is difficult to confirm for certain if it’s a coincidence, most analysts believe it is not random and may be a sign of attackers exploiting known patterns.

Upbit’s Hot Wallet Compromise Reignites Fresh Fear

The Upbit hack also serves as a harsh reality check for the long-standing narrative of “Institutional-grade” security. If South Korea’s largest crypto exchange, operating under one of the world’s strictest regulatory regimes, can be breached, the industry is forced to confront an uncomfortable question: who is truly safe?

Following the announcement, SOL’s crypto price pulled back a bit before gaining momentum mid-day. This suggests that many traders interpreted the event as a breach specific to Upbit’s hot-wallet infrastructure, rather than a technical flaw in the Solana blockchain.

Meanwhile, industry experts analyzed three critical vulnerabilities that remain unresolved in 2025. One, despite advancements in multi-party computation (MPC) and hardware security modules (HSM), the fundamental risk that online keys can be stolen persists. This is against the backdrop of crypto exchanges competing to deliver instant withdrawals and thus keeping a disproportionate volume of tokens in the hot wallet.

Also, in 2025, hackers are increasingly deploying sophisticated malware, such as AI tools that can bypass traditional two-factor authentication by intercepting session tokens or mimicking biometric data.

Finally, insider threats and social engineering continue to be a major concern. As technical defenses improve, cybercriminals are increasingly targeting the human element. Particularly, hackers are now notorious for impersonating recruiters or tech support personnel to trick exchange employees into downloading malicious software.

What Lies Ahead For Upbit: Regulatory Struggles or Merger Dead Blow?

Unfortunately, this attack against Upbit is coming barely 24 hours after the announcement of a potential 10-billion merger deal between its operator and the tech giant, Naver. In the regulatory filing, the two entities reached a consensus on a 10.3 billion stock-swap deal, which will enable Naver Financial to acquire all of Dunamu’s shares.

While this deal is unlikely to be scrapped entirely, analysts warn that the breach potentially hands significant leverage to regulators who are expected to closely scrutinize the deal.

Moreover, the exchange was already facing scrutiny from South Korea’s Financial Intelligence Unit (FIU) over alleged AML/KYC violations, leading to a ₩35.2 billion fine. Whereas in 2019, the regulators were lenient, viewing the industry as nascent, the sector has become significantly stricter in recent years.

This, however, remains a developing story as no official comment has yet been released by any of the regulators as of press time.

Conclusion

This latest breach is a significant setback for Upbit and could complicate Naver shareholders’ pending merger approval scheduled for May 2026. While the exchange’s swift promise to fully reimburse affected users has helped contain immediate backlash, its long-term stability will depend on the findings of ongoing investigations and the strength of its remediation efforts.

More broadly, the incident underscores the persistent vulnerabilities of hot wallets. Although they offer speed and liquidity, the way private keys are managed leaves digital wallets exposed to remote compromise, making them a high-value target for hackers.

What makes this case particularly unsettling is the uncanny repetition of a similar exploit on the same date six years ago, raising deeper concerns about recurring weaknesses in Upbit’s security architecture. Ultimately, the industry is reminded once again that convenience must never outweigh robust, evolving security practices.