Upbit, a leading exchange in South Korea, suffered a severe $37 million hacker attack in tokens on Solana, forcing the platform to temporarily suspend withdrawals.
Summary
What happened to the Korean exchange Upbit?
According to a statement from Upbit, in the early hours of Thursday, anomalous withdrawals of cryptocurrencies were detected on the Solana network, amounting to approximately 54 billion Korean won, equivalent to about 36.8 million dollars.
The exchange, the largest in South Korea by volume, explained that the incident occurred around 4:42 AM local time, when a portion of the tokens was transferred to an unidentified external wallet.
However, the company has not yet disclosed technical details about the attack or the exact point of compromise, merely confirming the anomaly in the outflows on the Solana blockchain.
In the meantime, however, comments from leading figures in the crypto world are not long in coming, such as that of Matěj Žák, CEO of Trezor, who had previously addressed the issue of exchange security during the TBD Conference in October:
“Exchanges are obviously massive honeypots for hackers. Independent reports estimate that more than 2.5 billion dollars has already been stolen in 2025, including a single 1.5 billion dollar breach on the Bybit exchange. And since security is a moving target, this problem is not going away.”
Which tokens on Solana are involved?
In the announcement, the platform listed the tokens affected by the unauthorized transfer on the Solana network. Among these are SOL, 2Z, ACS, BONK, DOOD, DRIFT, HUMA, IO, JTO, JUP, LAYER, ME, MEW, MOODENG, ORCA, PENGU, PYTH, RAY, RENDER, SONIC, SOON, TRUMP, USDC, and W.
This is a heterogeneous basket that includes both the native crypto SOL, various tokens linked to the DeFi ecosystem and memecoins, as well as the stablecoin USDC. Overall, the amount withdrawn highlights the liquidity concentration of the exchange on the Solana network.
That said, Upbit clarified that the verifications are still ongoing and that the list of affected tokens is based on the information available at the time of the official announcement.
Withdrawals and deposits suspended: Upbit’s response to the recent hack
In response to the incident, Upbit immediately suspended withdrawals and deposits to prevent further unauthorized transfers and assess the extent of the damage.
Additionally, the exchange has stated that it has transferred all available assets into a cold wallet, offline wallets considered more secure, to reduce the risk of new attacks during the investigation phase.
This emergency procedure, already seen in other cases of security breaches in the crypto sector, aims to secure the reserves until the completion of internal forensic analyses.
Frozen tokens and cooperation with authorities
In parallel with defensive measures, the platform successfully blocked a significant portion of the stolen funds. Specifically, it announced the freezing of LAYER tokens valued at $8.18 million.
Upbit also announced that it will collaborate with individual project teams and relevant authorities to attempt to freeze the remaining stolen assets, by tracking on-chain flows and initiating blocking procedures where possible.
However, at present, no public details have been provided regarding the entities or jurisdictions involved in the investigations, nor any suspicions concerning the identity of the attackers.
Assurances for Upbit users
In its update, the exchange Upbit assured that it will compensate all user funds involved in the hacker attack with its own reserves.
In these hours of panic, the company has emphasized that its clients will not suffer any personal losses, reiterating that the financial burden of the attack will be absorbed at the corporate level and will not fall on individual investors.
This course of action is consistent with the practices of other major centralized exchanges that, in previous cases, have used insurance funds or reserves to cover security breaches.
The next steps after the hacker attack on Upbit
The company described the incident as an ongoing event and specified that further updates will be released as new elements emerge from internal investigations and on-chain verifications.
In the short term, the priority will remain securing the infrastructure, tracking the stolen funds, and gradually restoring normal deposit and withdrawal operations once the checks are completed.
