Upbit to Resume Deposits and Withdrawals on Dec. 1 After $37M Solana Hack: A Comprehensive Breakdown
Introduction: A Swift Response to a Targeted Attack
In a significant move to restore user confidence and operational normalcy, South Korean cryptocurrency exchange Upbit has announced it will resume all digital asset deposit and withdrawal services on December 1 at 1:00 PM KST. This decision comes just days after a sophisticated security breach on November 27, 2025, which resulted in the theft of an estimated 44.5 billion KRW (approximately $37 million USD) from the exchange’s hot wallets. Unlike previous high-profile exchange hacks, this incident specifically targeted assets within the Solana ecosystem, marking a notable shift in attacker focus. Upbit’s structured recovery plan, which includes the issuance of entirely new deposit addresses for all users and the full coverage of losses from corporate reserves, underscores the evolving landscape of exchange security and risk management in the face of advanced threats, including those suspected from state-sponsored actors like the Lazarus Group.
The Announcement: A Phased Return to Normalcy
Upbit’s official communication laid out a clear and meticulous timeline for restoring services. The resumption on December 1 is not an immediate, all-at-once event but a carefully orchestrated, phased process. The exchange stated that withdrawals and deposits would resume in phases, prioritizing network digital assets that have completed rigorous wallet system inspections and have had their security confirmed.
This cautious approach is designed to prevent secondary incidents and ensure the integrity of the rebuilt system. Furthermore, the exchange clarified that additional services, such as staking requests and NFT deposits supported by the resumed networks, would only be processed after service stability is thoroughly verified. For users, this means that while core functionality returns on December 1, some ancillary services may experience a slightly longer restoration timeline. The exchange also addressed transactions attempted during the suspension, noting that deposits made in this period will be shown sequentially once services resume, though processing may take extra time.
A Critical Security Mandate: New Deposit Addresses for All Users
Perhaps the most crucial instruction for Upbit’s user base is the mandatory requirement for new deposit addresses. In its announcement, the exchange explicitly stated, "Due to security vulnerability improvements and wallet system maintenance, new deposit addresses for all digital assets are required."
This is not a mere recommendation but a critical security protocol. Upbit has deleted all existing deposit addresses as part of its post-attack security overhaul. Users must log in to their accounts and generate new, unique deposit addresses for each asset they wish to deposit. The exchange issued a stern warning: using old deposit addresses could result in significant delays or, worse, permanent loss of funds. Users are strongly instructed to delete any existing Upbit deposit addresses previously registered in their personal wallets or on other exchanges to prevent future misuse or confusion.
Anatomy of the $37 Million Solana Hack
The November 27 security breach saw hackers make off with approximately 44.5 billion KRW ($30-36 million USD). The specific targeting of this attack is what sets it apart. The latest incident targeted Solana ecosystem tokens, with assets like Solana (SOL), USDC, and Bonk (BONK) identified as the primary targets.
This represents a strategic pivot by attackers. To provide context, Upbit suffered a major hack in 2019 where the focus was predominantly on Ethereum (ETH), resulting in a loss of around $50 million. The shift from Ethereum to Solana in this recent attack highlights how cybercriminals are continuously adapting their strategies to target growing and economically significant ecosystems. The Solana network, known for its high speed and low transaction costs, has seen a substantial increase in its Total Value Locked (TVL) and user base, making it a more attractive target for large-scale exploits than it may have been in years past.
The Suspected Perpetrators: Lazarus Group and State-Sponsored Threats
Lingering suspicions from cybersecurity firms and government agencies point towards North Korea’s Lazarus Group as the entity responsible for planning the attack. This state-sponsored hacking collective has a long and notorious history of targeting cryptocurrency exchanges and decentralized finance (DeFi) protocols to fund its operations, amassing billions of dollars over the years.
The potential involvement of Lazarus adds a layer of geopolitical complexity to the incident. It underscores that major cryptocurrency exchanges are not just contending with independent criminal hackers but also with well-resourced, nation-state actors employing advanced persistent threats (APTs). This reality necessitates a level of security investment and international cooperation that far exceeds traditional cybersecurity measures.
Damage Control: How Upbit is Mitigating Losses
In response to the hack, Upbit has undertaken several decisive actions to mitigate the damage and protect its users. First and foremost, the exchange pledged 100% coverage of user losses from its corporate reserves. This immediate commitment is crucial for maintaining trust and demonstrates a financial resilience that not all exchanges can claim. It ensures that no individual user will bear the financial brunt of the security failure.
Secondly, Upbit engaged in proactive asset recovery efforts. The company successfully worked with various token foundations to freeze approximately $8.18 million worth of specific tokens, such as LAYER. By collaborating with issuers to blacklist the stolen tokens on-chain, these assets were rendered worthless to the attackers. This frozen amount represents roughly 22% of the total stolen funds, a significant recovery that demonstrates the value of industry-wide cooperation in combating theft.
A Comparative Look: Upbit's 2025 Hack vs. The 2019 Incident
Comparing this event with Upbit’s 2019 hack provides valuable insights into the evolving nature of exchange security and attacker behavior.
- Targeted Assets (2019): The 2019 attack was almost exclusively focused on Ethereum (ETH), with 342,000 ETH stolen.
- Targeted Assets (2025): The 2025 attack shifted focus to the Solana ecosystem, stealing SOL, USDC, and BONK.
- Response Strategy: In both instances, Upbit halted deposits and withdrawals immediately and committed to covering user losses from its own capital. This consistent policy has become a cornerstone of its crisis management.
- Technique Evolution: The change in targeted blockchain suggests attackers are continuously scanning for vulnerabilities across different ecosystems, moving beyond the established dominance of Ethereum to exploit the rapid growth and potentially different security postures of alternative Layer 1 networks like Solana.
User Guidance Post-Resumption: What to Watch For
As services resume on December 1, users must remain vigilant and informed. Beyond generating new deposit addresses, there are several key points to consider.
Upbit has cautioned users about potential price differences that occurred during the suspension period. The market for various assets continued to fluctuate while deposits and withdrawals were frozen, meaning prices on Upbit at the moment of resumption may differ from those on other platforms.
Additionally, for certain niche assets—such as digital assets paid through airdrops, assets with ended trading support, or watchlist-designated tokens—only withdrawals will be available initially. Finally, assets that were suspended for separate reasons before the security inspection began may remain unavailable until those specific issues are resolved independently of the hack recovery.
Conclusion: Resilience and Lessons from a Modern Crypto Hack
The planned resumption of services by Upbit on December 1 marks a critical step forward from a challenging security event. This incident serves as a stark reminder of the persistent and evolving threats facing the digital asset industry. The targeted nature of the attack on the Solana ecosystem signals a maturation of hacker strategies, focusing on liquidity and growth wherever it may be found.
Upbit’s response—characterized by transparency, user asset protection, and a systematic technical rebuild—sets a professional standard for crisis management in the sector. The mandatory renewal of all deposit addresses is a clear lesson in post-breach hygiene that other platforms would do well to study.
For the broader market and vigilant observers, this event underscores several key themes: the increasing sophistication of threats from actors like Lazarus Group, the critical importance of exchange solvency and corporate reserves in safeguarding users, and the value of cross-industry collaboration in freezing and recovering stolen funds. As the industry moves forward, stakeholders should watch for how other exchanges preemptively bolster their defenses against similar ecosystem-specific attacks and how regulatory frameworks evolve in response to the involvement of state-sponsored entities. The resilience of an exchange is tested not by whether it faces an attack, but by how effectively it responds and protects its users in the aftermath.