Upbit Finds Critical Wallet Flaw later than $30 Million Hack

What Did Upbit Discover later than the Breach?

Upbit says an emergency audit triggered by this week’s $30 million theft uncovered a flaw in its internal wallet software that could have leaked Secret keys. The platform, South Korea’s largest by trading volume, disclosed that the vulnerability was found during a full inspection of its networks and wallet systems, though it did not directly tie the issue to the hack.

In a Friday notice translated from Korean, CEO Oh Kyung-seok said Upbit located “a security vulnerability in our system that could have allowed someone analyzing publicly visible Upbit wallet transactions on the blockchain to infer Secret keys.” The flaw involved signature data produced by the platform’s own wallet implementation. Under normal conditions, blockchain signatures do not reveal Secret keys, but Upbit said its system generated fragile or predictable signature patterns, making mathematical reconstruction possible.

The firm stressed that the bug was discovered only later than Upbit began reviewing its infrastructure in response to irregular withdrawals from its Solana-linked wallets on Nov. 27. The platform halted deposits and an emergency response plan.

Investor Takeaway

How Much Was Stolen and What Has Been Recovered?

Upbit confirmed total losses of 44.5 billion KRW, roughly $30 million. Of that amount, about 38.6 billion KRW (around $26 million) belonged to customers. The platform says around 2.3 billion KRW ($1.5 million) of the stolen in cooperation with partners.

In its notice, the platform said, “We identified and addressed the vulnerability during a comprehensive inspection of all related networks and wallet systems,” and added that operations will remain paused until the platform completes final security checks. Upbit also reiterated that it will cover all customer losses using its own reserves.

later than the suspicious outflows were detected, the company moved remaining assets to cold storage and began a full wallet overhaul. It plans to provide continuous updates and will reopen deposits and withdrawals once the audit concludes.

Is the Lazarus Group Behind the Attack?

Authorities in . ahead intelligence assessments, reported by local media and cited by The Block, suggest may be a suspect, though neither Upbit nor regulators have confirmed this publicly.

Lazarus has been linked to multiple high-profile , including attacks on bridges, platforms and DeFi protocols. The group frequently targets wallet infrastructure and key-management systems, making Upbit’s disclosure of a private-key exposure bug notable even if it is not yet tied to this incident.

Upbit said it continues to work with law enforcement and teams to freeze and recover funds where possible.

Investor Takeaway

Why the Wallet Bug Raises Broader Questions

The flaw described by Upbit relates to signature generation—a core element of wallet security. If signatures follow predictable patterns or rely on flawed randomness, attackers analyzing past transactions can compute Secret keys and drain funds without breaching servers.

Such bugs are rare but not unprecedented. Similar vulnerabilities have appeared in faulty implementations of ECDSA and other cryptographic schemes, often linked to fragile randomness or misconfigured signing libraries. Upbit’s disclosure suggests the issue came from its own proprietary software rather than from underlying blockchain code.

The platform said the discovery serves as a reminder that “no security system can ever be considered perfect” and that a wider overhaul of its infrastructure is underway. The firm’s parent company, Dunamu, is currently pursuing a merger with Naver, the country’s largest internet conglomerate, — placing added attention on how the breach and subsequent findings are handled.

What Happens Next?

Upbit will reopen deposits and withdrawals only later than completing its security verification process. The platform said it is conducting an expanded audit across all wallet components, signing modules and internal communication layers. It also plans to publish further updates as new information becomes available.

For now, investigators are still determining whether the private-key exposure bug was exploited by the stemmed from a separate vector entirely. Upbit’s disclosure indicates that even mature platforms can harbor hidden fragilenesses inside wallet software—often the least transparent part of centralized platforms.