South Korean cryptocurrency exchange Upbit announced that it discovered and patched a serious vulnerability in its internal wallet system while investigating a $30 million theft earlier this week. It remains unclear whether the flaw was directly linked to the hack.

According to CEO Oh Kyung-seok, the vulnerability could have allowed someone analyzing publicly visible Upbit wallet transactions on the blockchain to infer private keys—the cryptographic credentials controlling access to funds. The issue stemmed from a flaw in Upbit’s own wallet software, which produced weak or predictable signature data, potentially enabling an attacker to mathematically reconstruct certain private keys from past on-chain transactions.

Upbit clarified that the flaw was discovered during a systemwide review initiated after irregular withdrawals from its Solana-related wallets on November 27. The exchange activated an emergency response system, suspending all deposits and withdrawals until the infrastructure is fully verified as secure.

The hack resulted in losses totaling approximately 44.5 billion KRW (~$30 million), including 38.6 billion KRW (~$26 million) in customer assets. So far, around 2.3 billion KRW ($1.5 million) of stolen funds have been frozen. Upbit has pledged to cover all customer losses from its own reserves and is conducting a broader security review to prevent future incidents.

Authorities Investigating Lazarus Group Links

Withdrawals were halted after abnormal Solana-based outflows, including tokens such as SOL, ORCA, RAY, and JUP. Remaining assets were moved to cold storage while a full wallet overhaul is underway.

South Korean authorities have opened an investigation into the incident. Early intelligence reports cited by local media suggest potential involvement by North Korea’s Lazarus Group, though neither Upbit nor regulators have publicly confirmed this.

Upbit continues to coordinate with law enforcement and blockchain projects to recover stolen assets where possible and will resume deposits and withdrawals once final security checks are completed.

This incident underscores that even leading exchanges are not immune to vulnerabilities and highlights the ongoing challenges of securing digital asset platforms.