Upbit is facing one of its most serious incidents in recent years after confirming that approximately $37 million worth of Solana-based assets were withdrawn from its hot wallet without authorisation.
The exchange detected irregular activity early Thursday morning at around 4:42 a.m. Korean Standard Time immediately halted all Solana-related deposits and withdrawals to prevent further losses.
What Happened to Upbit?
According to Upbit, the incident began when its systems flagged abnormal outgoing transactions from a Solana network wallet tied to the platform.
An estimated 54 billion Korean won, equal to roughly $37 million, was drained across multiple tokens in a rapid sequence of withdrawals.
The list of affected assets includes major Solana ecosystem tokens such as SOL, JUP, JTO, PYTH, RAY, ORCA, RENDER, and USDC, alongside several smaller community and memecoin projects, including BONK, MEW, MOODENG, PENGU, DOOD, and ACS.
The broad token sweep indicates that the attacker targeted the entire contents of the hot wallet rather than selecting specific assets.
On-chain activity shows that the drained funds were quickly moved to external addresses not associated with Upbit.
Some tokens began travelling across multiple wallets shortly after the withdrawals occurred. In certain cases, assets were bridged to other networks or split across numerous addresses to make tracking more complex.
These steps are commonly used to disrupt the traceability of stolen tokens, especially when attackers expect rapid monitoring from exchanges and analytic firms.
Upbit responded immediately by isolating the compromised wallet and freezing Solana-based transactions.
This measure prevents further unauthorised movements and ensures that remaining Solana assets held by customers are not exposed to the same vulnerability.
The platform also transferred the rest of its Solana holdings to secure cold storage, which does not maintain direct internet connectivity and is therefore significantly more secure.
Despite the scale of the loss, Upbit managed to recover a portion of the stolen assets with help from project teams.
The company reported that it successfully froze $8.18 million worth of LAYER tokens after coordinated action with the LAYER project.
Other recoveries may follow depending on the design of each token and the response of project teams. Some assets allow developers to freeze suspicious movements, while others operate fully decentralised systems where freezing is not possible.
For now, the exact method used to carry out the breach has not been made public. It remains unclear whether the attacker gained access to a private key, exploited a vulnerability within Upbit’s wallet infrastructure, or took advantage of a fault in an automated system.
The company has initiated a comprehensive forensic investigation and has announced that it will release verified findings once the analysis is complete.
As the stolen assets include a mix of high-value tokens and lower-value coins, identifying the initial point of compromise will be essential in determining whether the breach was technical, operational, or the result of an unknown external exploit.
Upbit’s history also adds context to the current event. In 2019, the exchange suffered another major security breach involving approximately $50 million worth of Ethereum.
After that incident, Upbit adopted stricter internal processes, expanded security audits, and reorganised how its wallets were managed.
The fact that the exchange still experienced another significant breach underscores the ongoing challenges exchanges face in maintaining secure hot wallet operations while supporting fast deposits and withdrawals across multiple networks.
Upbit’s Current Condition
At present, Upbit has suspended all withdrawals and deposits on the Solana network while it continues to investigate the source of the attack.
Users can still trade on the platform, but any activity requiring Solana-based transfers remains unavailable. This temporary halt is intended to prevent attackers from making additional attempts and to ensure that internal systems are checked thoroughly before services resume.
Upbit has not yet provided a timeline for when Solana withdrawals and deposits will return, but it has stated that restoring user confidence and stabilising internal systems are the current priorities.
The company has assured customers that they will not suffer financial losses as a result of the breach. Upbit will compensate all affected accounts using its reserve assets, a measure that aims to maintain trust among users who rely on the platform for daily trading.
This decision reflects the exchange’s financial strength and its commitment to protecting customer funds even in the face of large losses. Upbit’s operator, Dunamu, manages more than $11 billion in total customer assets, making it one of the most well-capitalised exchanges in the region.
The broader market is watching the situation closely. For Solana-based projects, the sudden movement of millions of tokens can create temporary pressure on liquidity, especially if some assets begin appearing on decentralised exchanges.
However, early market reactions suggest that most Solana tokens have remained stable, helped by Upbit’s rapid isolation of the affected wallet and the assurance of customer compensation.
Still, the event raises renewed questions about hot wallet security, cross-chain fund tracing, and how exchanges manage operational risks across networks that prioritise speed and scale.
Law enforcement and blockchain analytics teams are already tracking the stolen assets as they move across wallets.
As some tokens were frozen early, investigators may be able to follow interaction patterns and identify weak points where additional freezes can be placed.
The level of cooperation across project teams will be crucial, as decentralised assets without central control may become harder to retrieve once they pass through anonymity-based platforms.
For Upbit, restoring normal operation will require a complete review of the affected wallet architecture. This includes checking private key access, integration with Solana-based tooling, and the security measures used to manage automated transfers.
Exchanges must balance convenience and speed with strong security protections, and this incident will likely lead to even tighter risk controls across the platform.
Once the investigation concludes, Upbit is expected to share an update outlining technical causes, lessons learned, and new security measures to prevent similar incidents in the future.
Conclusion
Upbit is now managing the fallout of a $37 million breach involving its Solana hot wallet. Although the scale of the attack is significant, the exchange’s swift action, including freezing assets, moving funds to cold storage, and committing to full user compensation, has helped maintain market stability.
While investigators continue tracing the movement of stolen tokens, Upbit must also rebuild confidence by clarifying the details of the breach and reinforcing its security systems.
The coming weeks will determine how quickly the exchange can restore full Solana network functionality and how this incident shapes security standards across the wider digital asset ecosystem.