Кража $36,8 млн в Upbit: уязвимость систем и возможная связь с северокорейскими хакерами $36.8 Million Theft at Upbit: System Vulnerabilities and Possible Links to North Korean Hackers

On November 27, Upbit, South Korea’s largest bitcoin exchange, suspended withdrawals following an attack in which hackers stole assets worth $36.8 million.

The breach was attributed to a vulnerability in the company’s internal system, as stated by the firm.

The issue stemmed from the wallet software used by Upbit, which generated weak or predictable digital signature data. This allowed the perpetrators to mathematically reconstruct the private keys of specific wallets by analyzing transaction history data.

According to local media, authorities are also investigating the potential involvement of the North Korean hacker group Lazarus in the attack. There has been no official confirmation of this information so far.

The incident transpired on the Solana network. Around 4 a.m. local time, part of the tokens were transferred to an unidentified external wallet.

The affected assets include SOL, 2Z, ACS, BONK, DOOD, DRIFT, HUMA, IO, JTO, JUP, LAYER, ME, MEW, MOODENG, ORCA, PENGU, PYTH, RAY, RENDER, SONIC, SOON, TRUMP, USDC, and W.

Upbit has since moved all tokens to secure cold wallets. They managed to freeze a portion of the stolen assets, specifically LAYER tokens worth $8.18 million.

The exchange announced its collaboration with blockchain security teams and law enforcement to investigate the incident. Representatives of the platform emphasized that users will receive full compensation for their losses from the company’s reserves.

Details of the attack are yet to be disclosed.

Dmitry Poida, an analyst specializing in investigations for the AML/KYC provider Shard, noted that the breach could have resulted from the compromise of a hot wallet or the exchange’s withdrawal infrastructure.

A less likely scenario involves an issue within the withdrawal module logic on the Solana network. Upbit’s mention of an «emergency security check» of the blockchain systems hints at such a possibility.

“This network differs from others in its transaction architecture, and errors in such modules can sometimes allow for address substitution or bypassing verification procedures,” the expert explained.

The attackers’ focus on illiquid and new coins further supports the assertion that the hot wallet of the Solana-based platform was hacked. According to Poida, such addresses «typically house less liquid and smaller tokens that come through the exchange when it processes customer withdrawals and deposits.»

When discussing the chances of recovering all stolen funds, the analyst stressed that with the involvement of the Korean cyber police, financial regulators, and the Solana project teams, the prospects for recovery «will substantially increase.»

“Upbit is the largest exchange in South Korea; such companies maintain close ties with regulators and law enforcement. It is not a global anonymous crypto platform but part of a formally regulated fintech infrastructure in the country,” Poida concluded.

On November 26, South Korea’s leading IT conglomerate, Naver Financial, announced its acquisition of Dunamu—the operator of Upbit. The deal is worth $10.29 billion. After the merger, both companies will retain their independence and continue operations in their current business segments.

According to sources, in light of the incident, the exchange is preparing for an IPO.

Shareholders of Dunamu will be able to exchange their shares for Naver Financial stock at a mutually agreed rate of 1:3.3, after which Dunamu will fall under Naver’s control.

Dunamu’s Chairman, Song Chi-hyun, and Vice Chairman, Kim Hyun-nen, will become the largest stakeholders in the merged entity, holding a combined stake of 30%.

The CEO of the exchange operator, Oh Ken-sok, stated that both companies would develop their own stablecoin pegged to the South Korean won. Earlier, local media reported that in December, Naver would launch a wallet for “stable coins” as part of a pilot project in Busan.

Additionally, it was reported that over the next five years, Naver and Dunamu will invest approximately $6.8 billion in creating a financial infrastructure based on artificial intelligence and blockchain technology.

Recall that in November of last year, South Korean authorities discovered up to 600,000 KYC violations at Upbit.