South Korea’s biggest cryptocurrency exchange, Upbit, has revealed a major security breach on the Solana network that resulted in the loss of roughly 54 billion Korean won—about $36 million. The incident, which involved one of the platform’s hot wallets, forced the company to temporarily suspend some services and quickly move user assets into more secure storage.
According to a public notice from Dunamu CEO Oh Kyung-seok, Upbit’s systems detected unusual withdrawals in the early hours of November 27, 2025. At approximately 04:42 local time, the exchange confirmed that part of its Solana-based holdings had been transferred to a wallet address that had not been authorized internally. In other words, funds were sent to an unknown external wallet that was not under Upbit’s control.
The compromised wallet was a so‑called “hot wallet”—a type of wallet that remains connected to the internet so it can process deposits and withdrawals quickly. While hot wallets are essential for day‑to‑day exchange operations, they are also more exposed to cyberattacks than cold wallets, which are kept offline. As soon as the abnormal activity was confirmed, Upbit froze certain Solana-related functions and began migrating remaining assets to cold storage to prevent further losses.
The stolen funds included a mix of Solana-based tokens, notably several meme coins that have grown popular among retail traders. Among the affected assets were Bonk (BONK), Moodeng (MOODENG), and Official Trump (often traded under the ticker TRUMP), alongside other Solana ecosystem tokens. Upbit has not yet disclosed the precise breakdown of each asset lost but has emphasized that the breach was limited to one wallet address rather than the entire platform infrastructure.
Following the discovery, Upbit launched an internal investigation and began tracking the on‑chain movement of the stolen funds. Blockchain data allows investigators to follow the trajectory of tokens across wallets and protocols, even if the attacker attempts to obfuscate the trail through decentralized exchanges, mixers, or cross‑chain bridges. The exchange is also cooperating with law enforcement and industry partners to identify the attacker and potentially freeze assets if they touch centralized platforms.
For users, the immediate impact was a temporary suspension or slowdown of certain Solana-related services—such as withdrawals, deposits, and potentially trading for a subset of tokens—while Upbit carried out system checks and reconfigurations. The company has stressed that user balances will be honored, signaling that it plans to cover the losses from its own reserves or insurance rather than passing the damage to customers. However, final details on compensation and incident resolution are typically shared only after forensic audits are complete.
This breach once again highlights the core security trade‑off in centralized exchanges: convenience versus safety. To facilitate fast trading and instant withdrawals, exchanges must keep a portion of assets online in hot wallets. The larger that share, the more capital is at risk in the event of a compromise. Many major exchanges have therefore moved toward a model where only a small fraction of funds are hot, with the majority held in multi‑signature cold wallets, hardware devices, or other offline solutions that require multiple approvals to move funds.
For individual crypto users, the Upbit incident is a reminder that storing assets on exchanges, no matter how reputable or large, always carries custodial risk. Even if a platform promises compensation, withdrawals can be delayed, services can be restricted, and markets can become volatile around such news. Where possible, long‑term holders are often advised to maintain self‑custody using hardware wallets or other non‑custodial solutions, keeping only actively traded funds on exchanges.
It also underscores the particular security challenges within fast‑growing ecosystems like Solana. High throughput and low transaction fees attract developers and traders—but they also appeal to attackers looking for liquidity and exploitable infrastructure. A single compromised private key, misconfigured wallet, or flawed internal process can lead to significant losses, especially when managing large pools of tokens across multiple networks.
From a regulatory and market perspective, a $36 million loss at the country’s largest exchange is likely to draw scrutiny from financial watchdogs and policymakers in South Korea. Authorities may push for stricter standards for hot‑wallet management, mandatory insurance coverage, real‑time monitoring systems, and more frequent security audits. Exchanges could also face pressure to publish clearer transparency reports about how much of user funds are held in hot versus cold storage and what incident response plans are in place.
In the coming weeks, attention will focus on several key questions: whether Upbit can recover any of the stolen assets, how quickly full service on the Solana network resumes, whether there will be any lasting damage to user trust, and what concrete security upgrades the platform will implement. For now, the case serves as a high‑profile example of the risks embedded in crypto infrastructure—and a prompt for both companies and investors to reassess how they handle, store, and secure digital assets in a market where technical failures can translate into multimillion‑dollar losses in a matter of minutes.