Upbit suspended deposit and withdrawal services after detecting an unauthorized transfer in Solana-based assets, estimated between USD 36 and 40 million (≈54,000 million won). The detection occurred around 04:42 KST and affected tokens including SOL, TRUMP, BONK and JUP, as the platform halted trading and moved remaining assets to cold storage. The exchange framed the event as anomalous activity and initiated containment and audit procedures to protect customer liquidity.
Technical details of the incident
Upbit characterized the event as “anomalous withdrawal activity” originating from a compromised hot wallet and responded with a comprehensive operational suspension and a system audit. The unauthorized transfer was sent to an unknown address, and the firm stated that it will reimburse affected customers with its own funds, while investigating the scope of the breach and validating remediation steps.
A hot wallet is defined as a wallet connected to the Internet to facilitate quick transactions and, therefore, presents a larger attack surface than a cold wallet. The episode fits a historical pattern of vulnerabilities in online custodians: in 2023 losses totaling USD 2,380 million were recorded in similar incidents, including cases such as Mixin Network (≈USD 200 million) and Euler Finance (≈USD 197 million). In immediate response, Upbit isolated services, performed a forensic audit and moved balances to cold storage to contain risks and protect user funds.
Regulatory, operational and market implications
The incident raises questions about security controls and operational governance in centralized exchanges. Upbit already carries regulatory history: a prior fine of 35,200 million won and a temporary suspension of deposits/withdrawals due to AML/KYC measures imposed by the Financial Intelligence Unit (FIU). The recurrence of technical failures despite rigorous oversight underscores the difference between documentary compliance and real operational resilience, emphasizing the need for verifiable risk controls.
For operators and compliance teams, the practical lessons are clear: strengthen segregation of funds, review private key management procedures and validate incident response mechanisms. Speed of response and the promise of reimbursement mitigate reputational and financial impact for users, but do not replace external proof of integrity nor independent audits that certify remediations, which remain essential for restoring confidence.
Although the attack occurred on the Solana network, the community and memecoin markets associated showed immediate resilience. Upbit’s influence on token listings has previously caused significant market movements — for example, simultaneous price spikes after inclusions on the platform — which increases systemic risk associated with operational failures at liquid, centralized exchanges. Upbit’s aspiration for a Nasdaq IPO, linked to proposed mergers with Naver, complicates the assessment of corporate governance against technological risks and places further scrutiny on the exchange’s controls.
The suspension of services and the transfer of funds to cold storage constitute the initial containment responses; the promise of reimbursement limits direct losses to users but does not eliminate the need for external security reviews. The episode reinforces the urgency to improve custody controls and to incorporate independent audits as an essential part of operational governance, with the next verified milestone being the results of the forensic audit and public communication on corrective measures and the timeline for resumption of deposits and withdrawals.