Key Highlights
- Upbit reopens deposits and withdrawals after roughly $37 million Solana hack on December 1, 1:00 PM KST.
- All old deposit addresses have been deleted; users must create new ones to avoid delays.
- Authorities suspect North Korea’s Lazarus Group and say the breach mirrors the 2019 Ethereum hack.
South Korea’s largest crypto exchange, Upbit, is reopening digital asset deposits and withdrawals on December 1 at 1:00 PM KST. This follows a major security breach last week that led to the theft of roughly $37 million worth of Solana-based tokens.
As part of its security overhaul, Upbit has deleted all existing deposit addresses across every digital asset. All users must generate new deposit addresses before sending funds, and the exchange warned that any transfers to old addresses may face delays.
In its updated notice, Upbit emphasized that this step is mandatory, saying, “Using existing addresses may result in delays in deposits.” The exchange also urged users to delete any outdated addresses saved in personal wallets or on other exchanges.
Inside the Upbit breach
On November 27, Upbit’s hot wallets were drained of Solana-based tokens, including SOL, USDC, and BONK. The exchange froze ₩12 billion in LAYER tokens and continues tracing the remaining stolen assets, while deposits, withdrawals, and SOL staking remained suspended.
The incident differs from Upbit’s 2019 breach, which focused on Ethereum, and has triggered a new government investigation. Authorities are strongly suspecting North Korea’s Lazarus Group, with officials noting that the attack closely mirrors methods used in past intrusions.
Investigators believe the attackers may have breached an administrator account rather than exploiting servers. One government official said, “It is possible that the administrator account was hijacked or that the funds were transferred by pretending to be the administrator.”
Upbit detected unauthorized activity at 4:42 a.m. KST and halted all transfers, moving funds to cold storage. Analysts say the breach used multi-stage malware, starting with a fake Deriv installer, and exploited Python, .NET tools, AnyDesk, and Tor to steal passwords and wallet data while staying hidden.
Getting back online safely
Upbit has pledged to cover 100% of user losses from its corporate reserves. It also worked with token foundations to freeze around $8.18 million of stolen assets, roughly 22% of the total haul.
Deposits and withdrawals are resuming in phases, starting with networks that have passed security checks. The first batch includes Akash Network’s AKT and 213 Ethereum-network tokens such as 1INCH, AAVE, LINK, GRT, SHIB, and UNI. Deposits during the suspension will post gradually as the backlog is cleared.
Some assets, those received through airdrops, delisted tokens, or coins already under separate suspension, will only support withdrawals for now. Previously paused tokens may remain unavailable until related issues are resolved.
Staking features and NFT deposits or withdrawals will restart once system stability is confirmed. The exchange said, “If any changes occur regarding the resumption, we will provide additional information through this notice,” as it continues restoring services following the breach.
Also Read: Bitcoin Crashes Below $87K, Wiping Out a Week of Gains in 3 Hours
