Upbit Hit With $36M Solana Network Breach During Naver Partnership Launch: Exchange Vows to Cover Losses

Introduction

In a stunning turn of events, South Korean cryptocurrency exchange Upbit detected unauthorized withdrawals totaling approximately 54 billion KRW ($36 million) in Solana-based assets on November 27, 2025. The security breach, which impacted a wide array of tokens including SOL, USDC, and various DeFi and meme coins, forced the exchange to immediately suspend all Solana network deposit and withdrawal services. The incident casts a shadow over what was meant to be a day of celebration, coinciding with the announcement of a monumental 10 trillion won strategic partnership between Upbit's parent company, Dunamu, and South Korean tech giant Naver. This breach marks the most significant security incident for Upbit since the notorious 2019 hack that saw 342,000 ETH stolen, an event later attributed to North Korean hacking groups.

Exchange Responds With Emergency Measures

Upon detecting abnormal withdrawal activity, Upbit's response was swift and decisive. The exchange promptly halted all deposit and withdrawal services for Solana-based assets and initiated emergency inspections to assess the full scope of the damage and reinforce its security posture. Between November 26 and 27, 2025, Upbit's customer center published multiple urgent updates, documenting each step of their rapid response protocol in real-time.

The company demonstrated a commitment to transparency by disclosing all wallet addresses involved in what it termed the "irregular outflow" of funds. In an official statement, Upbit assured users: "We have identified the exact amount of digital assets that were leaked, and we will fully cover the loss with Upbit’s own assets so that customers are not affected in any way." This approach of using corporate reserves to cover user losses mirrors industry best practices established by major exchanges following previous security incidents, aiming to maintain user confidence and market stability.

Scope of the Solana Ecosystem Breach

The security incident affected a diverse portfolio of Solana-based digital assets, indicating a broad targeting of Upbit's hot wallet infrastructure. The compromised tokens included the network's native cryptocurrency SOL, the stablecoin USDC, and several prominent ecosystem tokens. The full list encompasses BONK, Jupiter (JUP), Raydium (RAY), Render (RENDER), Orca (ORCA), and Pyth Network (PYTH).

The diversity of affected tokens—spanning decentralized exchange tokens (JUP, RAY, ORCA), oracle networks (PYTH), GPU rendering platforms (RENDER), and meme coins (BONK)—suggests the attackers targeted Upbit's operational hot wallets rather than specific token reserves. Security experts monitoring the breach confirmed that the concentration of losses within the Solana ecosystem points to a network-specific vulnerability exploitation rather than a cross-chain attack vector. The immediate suspension of Solana token services represented a targeted containment strategy to prevent further losses while forensic investigations proceeded.

Party-Spoiler Ruins Dunamu–Naver Merger Celebration

The timing of the security breach could not have been more ironic or damaging from a public relations perspective. November 27, 2025, was supposed to mark a transformative moment for Dunamu as it announced ambitious plans to seize global market leadership through AI- and Web3-based collaboration with Naver, South Korea's largest portal company.

The strategic partnership between Naver, Dunamu, and Naver Financial involved a monumental commitment to invest 10 trillion won over the next five years to foster domestic AI and Web3 technology ecosystems. This alliance represented one of the most significant corporate moves in South Korea's digital asset history, positioning the consortium to compete globally in the rapidly evolving Web3 landscape. The security incident immediately shifted focus from growth ambitions to fundamental security concerns, presenting Dunamu's leadership with simultaneous crisis management and strategic implementation challenges.

Six Years After the Last Upbit Hack: A Troubling Pattern

This security breach evokes troubling memories of Upbit's previous major incident in November 2019, when hackers stole 342,000 ETH from the South Korean exchange. The 2019 breach caused an initial loss of about 58 billion won, roughly $50 million at the time—a sum that now stands at approximately $1.04 billion due to Ethereum's substantial price appreciation.

The historical context reveals both similarities and differences between the two incidents. While the 2019 attack targeted Ethereum specifically, the 2025 breach focused exclusively on Solana network assets. The scale of financial impact differs significantly when measured in fiat terms at time of occurrence—$50 million in 2019 versus $36 million in 2025—though both incidents triggered immediate operational suspensions and comprehensive security reviews.

Five years after the initial Ethereum heist, in November 2024, Korean police officially confirmed that the perpetrators were alleged North Korean hacking groups Lazarus and Andariel. The National Office of Investigation based this conclusion on multiple evidence streams, including the use of North Korean IP addresses, North Korea-specific terminology (including phrases used for trivial tasks), and data obtained through cooperation with the US Federal Bureau of Investigation (FBI).

The investigation into the 2019 hack revealed sophisticated money laundering techniques. Of the stolen Ethereum, the hackers converted 57% into Bitcoin through three cryptocurrency exchanges they had designed themselves and immediately cashed out the proceeds. The remaining 43% was laundered through 51 exchanges across 13 countries, including China, the United States, Hong Kong, and Switzerland.

In October 2024, Korean authorities demonstrated the long-term nature of such investigations by seeking cooperation from Swiss judicial authorities and recovering 4.8 BTC, which they returned to Upbit. However, authorities noted that remaining countries and exchanges were reportedly refusing to cooperate with recovery efforts, highlighting the jurisdictional challenges inherent in cross-border crypto investigations.

Comparative Analysis: Exchange Security Evolution

The 2025 Upbit breach occurs within a broader context of exchange security evolution over the past decade. While the cryptocurrency industry has seen substantial improvements in security practices—including widespread adoption of multi-signature wallets, cold storage solutions, and comprehensive insurance coverage—determined attackers continue to identify vulnerabilities.

The $36 million scale of this incident places it among the significant exchange breaches of 2025 but remains substantially smaller than historical precedents like the 2014 Mt. Gox hack ($470 million) or the 2018 Coincheck incident ($534 million). The focused nature of the attack on Solana network assets specifically contrasts with broader platform compromises seen in earlier exchange hacks, suggesting either improved security in other areas or attacker specialization.

The immediate commitment to cover losses using corporate reserves reflects an industry standard that has evolved significantly since the early days of cryptocurrency exchanges. This practice has helped prevent the catastrophic user losses that characterized early exchange failures and has contributed to greater overall market stability during security incidents.

Conclusion: Security Remains Paramount Amid Industry Growth

The Upbit breach underscores the persistent security challenges facing cryptocurrency exchanges even as the industry matures and forms partnerships with traditional tech giants. While the financial impact at $36 million is substantial, Upbit's prompt response and commitment to covering user losses demonstrate important industry maturity compared to earlier crypto exchange security failures.

For market participants and observers, this incident highlights several critical considerations. The continued targeting of hot wallet infrastructure suggests exchanges must maintain relentless focus on operational security even as they pursue strategic expansion. The coincidence of the breach with a major partnership announcement serves as a reminder that technical infrastructure must keep pace with business ambitions.

As investigations continue into the Solana network breach, the crypto community will watch closely for patterns that might connect this incident to previous attacks or reveal new vulnerability vectors specific to Solana ecosystem integrations. The response from both Upbit and broader Solana ecosystem participants will provide valuable insights into current security best practices and potential areas for industry-wide improvement.

While this breach represents a significant setback, Upbit's transparent communication and financial backing for affected users provides a template for responsible crisis management. As the exchange works to restore full Solana network services and reinforce its security framework, the incident ultimately reinforces that in cryptocurrency markets—as in traditional finance—security remains the non-negotiable foundation upon which all innovation must be built.