Five days after the security breach was exposed, Upbit reopened deposits and withdrawals at 1 PM on December 1, but all users must use a brand new deposit address. South Korea's largest cryptocurrency exchange, Upbit, began phased restoration of deposit and withdrawal services on December 1, 2025, at 1 PM (KST) after experiencing a security breach.
The restoration of services follows a strict security verification process, with the first batch of reopened assets including confirmed safe digital assets such as Akash Network's AKT, Ethereum ecosystem assets 1INCH, AAVE, and others.
All digital assets will require new deposit addresses, which is a core measure of Upbit's security breach fix and wallet system maintenance.
1. Phased Restart: The Difficult Balance of Security and Efficiency
● Upbit officially announced that starting from 1 PM on December 1, deposit and withdrawal functions will be restored in phases. This gradual restart strategy reflects the exchange's difficult trade-off between security and operational continuity.
● The exchange has adopted a phased recovery strategy, with the first batch of restored services limited to those digital assets whose wallet systems have been inspected and confirmed safe for deposits and withdrawals. These assets include Akash Network's token AKT, as well as various tokens from the Ethereum ecosystem such as 1INCH, AAVE, and ADT.
● Upbit particularly emphasized that due to the security breach fix and wallet system maintenance, all digital assets will require new deposit addresses. Although this decision brings temporary inconvenience to users, it fundamentally cuts off any potential backdoors that attackers may have left behind.
● The phased recovery plan takes into account both the technical complexities and the need for market stability. The assets prioritized for trading recovery have undergone strict security checks to ensure that a hasty full restart does not lead to secondary risks.
2. Striking Similarities in Two Attacks Over Six Years
● The incident occurred at 4:42 AM on November 27, when Upbit detected abnormal outflow activities on the Solana network. Approximately 54 billion Korean won (about 36 million USD) worth of crypto assets were transferred from Upbit's Solana hot wallet to an unknown external wallet.
● History is strikingly similar—this is the second major security breach Upbit has faced in six years. On November 27, 2019, the same exchange was hacked by a North Korean hacker group, resulting in the theft of 58 billion Korean won worth of Ethereum.
● Both attacks not only occurred on the same month and day but also employed similar tactics: targeting hot wallets with precision. This temporal coincidence has led security experts to speculate about "commemorative attacks," indicating a high level of organization and provocation from the attackers.
● Upbit responded immediately, suspending all deposit and withdrawal services and transferring remaining assets to cold wallets to ensure safety. The exchange confirmed that the losses were limited to its hot wallets and emphasized that the cold wallet reserves were unaffected.
3. A Fatal Flaw at the Mathematical Level
● According to Upbit CEO Oh Kyung-seok, an emergency audit revealed a serious internal wallet vulnerability. This flaw could allow attackers to infer private keys by analyzing publicly visible Upbit wallet transactions on the blockchain.
● The issue appears to stem from a defect in Upbit's own wallet software, which generated weak or predictable signature data. This means that attackers could reconstruct certain wallets' private keys through mathematical methods by analyzing the exchange's past on-chain transactions.
● This is not a simple programming error, but a fundamental flaw in cryptographic application. Traditional security measures such as firewalls and multi-signatures are nearly ineffective against such mathematical vulnerabilities, as attackers can directly control assets without breaching these protective layers.
● Blockchain security experts refer to such vulnerabilities as "silent killers"—they lurk deep within the system, not triggering any security alerts, yet can deliver devastating blows at critical moments.
4. Precision Strikes by State-Level Hackers
South Korean authorities suspect that this attack may be related to the North Korean hacker group Lazarus. This judgment is based on the high consistency of attack methods, timing, and past cases.
● The Lazarus group is not an ordinary cybercrime organization but a state-backed professional hacking team. They are known for long-term infiltration and meticulous planning, with clear targets aimed at financial institutions and cryptocurrency exchanges.
● The organization's attack patterns exhibit clear strategic and sustained characteristics. The choice to launch the attack the day after Upbit's parent company Dunamu reached a $10.3 billion acquisition agreement with Naver was not only for economic gain but also included a provocation against South Korea's financial security.
● Security researchers point out that the involvement of state-level hacker organizations complicates the security environment faced by cryptocurrency exchanges. Traditional defense strategies must be upgraded to cope with such high-level adversaries.
5. The Trust Crisis Behind Full Compensation
● Upbit has clearly committed to fully covering all customer losses with its own funds. While this decision can temporarily stabilize user sentiment, it cannot completely eliminate public doubts about the exchange's security capabilities.
● The exchange assures users that any balance losses caused by this security incident will be fully covered by its reserves. Upbit CEO Oh Kyung-seok stated, "We quickly identified the scope of digital asset outflows caused by abnormal withdrawals and will use Upbit's own funds to fully cover, ensuring that investors' assets are not lost."
● The full compensation mechanism has become a standard crisis response strategy for large exchanges, but behind it lies a harsh reality: frequent security incidents are continuously eroding user trust in centralized exchanges.
● Industry observers note that whether Upbit can successfully fulfill its compensation commitment will directly impact its leadership position in the South Korean market and may even trigger a wave of users migrating to decentralized exchanges.
6. The Necessity and Inconvenience of Changing Deposit Addresses
As part of enhanced security measures, Upbit has completely changed its deposit addresses. While this decision increases user operational inconvenience, it is a necessary measure to cut off potential risks.
● Users wishing to deposit assets must obtain the "new address" from the deposit and withdrawal page of the App or website. Upbit officially warns: "If you transfer virtual assets to the existing address, the deposit may be significantly delayed."
● The exchange also advises investors to delete the "existing Upbit addresses" registered in whitelists on other exchanges like Bithumb and Coinone or personal wallets like Metamask. This comprehensive address change strategy reflects Upbit's determination to eliminate potential security risks.
● Changing addresses may seem simple, but it involves complex technical restructuring. The exchange needs to ensure a smooth transition between new and old addresses while preventing any potential asset loss, which poses a severe test for system stability and user experience.
7. The Future of Hot Wallet Security
● This attack once again highlights the security risks of hot wallets. Hot wallets, which remain online for convenient daily transactions, are more vulnerable to attacks compared to offline cold wallets.
● The industry is beginning to reassess hot wallet management strategies. Some exchanges are considering shortening the retention time of assets in hot wallets, lowering the asset limits per wallet, and even exploring multi-party computation-based technical solutions to enhance security while maintaining convenience.
● Moreover, blockchain security experts point out that the vulnerability discovered by Upbit—allowing private keys to be inferred from blockchain data—represents a high-level mathematical vulnerability. The discovery of such vulnerabilities prompts the entire industry to reevaluate the actual security of existing cryptographic algorithms.
● Hot wallet security issues have become a bottleneck restricting industry development. As hacking methods continue to evolve, exchanges must find a new balance between technological innovation and risk control; otherwise, similar incidents will continue to recur.
The restoration of Upbit's services is not a simple restart but a complete reconstruction. From changing all deposit addresses to phased service recovery, every step reveals caution and vigilance. The true test of the exchange's security lies not in its ability to recover from a single attack but in its capacity to fundamentally enhance system resilience to cope with increasingly complex future threats.
In the world of digital currency, security is always a work in progress, with no one-size-fits-all solution. For Upbit and the entire industry, the next security test may just be a matter of time.
Join our community to discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
OKX benefits group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance benefits group: https://aicoin.com/link/chat?cid=ynr7d1P6Z
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
