Upbit May Have Been Infiltrated by Advanced Persistent Threat Group

By
Ritu Lavania
-
Upbit May Have Been Infiltrated by Advanced Persistent Threat Group

What To Know:

  • Upbit’s $36 million breach shows signs of a long-term intrusion.
  • The exchange froze withdrawals, shifted assets to cold storage, recovered a portion of funds and pledged full reimbursement to users from company reserves.
  • South Korea’s financial regulator has opened an investigation into Upbit’s reporting and data handling, with potential restrictions on new user sign-ups under consideration.

Security researchers have revealed that Upbit, one of South Korea’s largest crypto exchanges, may have been infiltrated by an advanced persistent threat group for an extended period. This led to a hot wallet breach that exposed weaknesses in internal key management and network security. The cold wallets are secure, the company said, but the incident has raised questions about long-standing vulnerabilities at major trading platforms.

Upbit: May Have Been Infiltrated by Advanced Persistent Threat Group

According to an analysis by cybersecurity firm GoPlus, several factors point to a sophisticated and patient attacker. The breach occurred on November 27, the same date as a high-profile hack in 2019 that resulted in losses of about $50 million. The timing was notable: transfers began just hours after Dunamu announced a major merger with Naver. GoPlus highlighted the attack speed, the techniques used, and symbolic timing as characteristics consistent with the Lazarus group.

The immediate toll was significant. Upbit reported roughly $36 million in unauthorized transfers from the Solana ecosystem, affecting SOL, USDC and multiple tokens native to that network. The exchange said it froze abnormal withdrawals, moved assets to cold storage and worked with blockchain projects and law enforcement to trace funds. Upbit also said it had frozen about 12 billion won worth of LAYER tokens and pledged to reimburse affected users from company funds.

Investigators traced a trail of transfers routed through multiple decentralized exchanges and mixing paths, a pattern consistent with complex money laundering. About 2,200 SOL tokens were moved on to Binance, according to blockchain tracking. That movement raised concerns that the attacker planned to obfuscate the origin of funds and evade oversight.

Upbit’s CEO, Oh Kyung-seok, issued a notice to users and emphasized protection of customer assets. “Upbit immediately suspended deposit and withdrawal services and conducted a comprehensive inspection,” he wrote. “We will cover the entire amount with Upbit assets to ensure no damage to members’ assets.” The promise of full compensation was intended to stabilize market confidence and limit withdrawals.

That development has tested user trust. Research shows that confidence in exchanges falls sharply after public breaches, reducing user engagement and capital flows. Trust can be repaired through transparent disclosures and timely compensation. Upbit’s public statement and pledge to reimburse users are steps in that direction. They may not, however, erase reputational damage.

South Korean regulators have opened scrutiny into the exchange’s reporting and data handling. Reports indicate the financial regulator is investigating possible delays in reporting the incident and data management practices. One media outlet suggested a temporary halt to new user sign-ups could be among the regulator’s options.

Security analysts worry about the implications of an extended intrusion. An advanced persistent threat that remains inside systems undetected can study internal processes, craft precise withdrawal operations and choose moments of symbolic impact. The anniversary timing, corporate news and rapid fund transfers increases suspicion that this was not a simple opportunistic theft but rather the product of months of reconnaissance.

The broader crypto industry faces another reminder that custody and internal controls are critical. Exchanges must toughen key management, segregate responsibilities and strengthen internal network defenses. Blockchain tracing can recover fragments of stolen value, but prevention remains the most effective safeguard.

Upbit continues its investigation while cooperating with partners and authorities. Users are watching closely. The exchange has promised compensation and heightened security. Only a full forensic report will reveal the scope and duration of the intrusion, and whether the signs pointing to an advanced persistent threat will be confirmed.

Analysts say recovery depends on clear forensic findings, stronger controls, demonstrable transparency and sustained leadership.

Also Read: Berachain Attack Update: White-Hat Hacker Ready to Return Funds

Previous articleEthereum’s Vitalik Buterin: Expect 5x Gas Limit, 5x Gas Cost Ahead
Next articleSouth Korea: Cops Accused of Aiding $1.86B Crypto Laundering Network
Ritu LavaniaRitu Lavania
Ritu Lavania
Ritu Lavania is a dedicated Web3 content creator with over 3+ years of experience in the crypto space. She is part of the team at CryptoMoonPress, where she writes insightful and engaging content. She has also contributed to TheCryptoTimes and The Coin Edition, where her work has been well received by the crypto community. Skilled in research, creative writing, and cross-functional collaboration, she creates content tailored to diverse audiences. Passionate about education, she dedicates time to teaching kids and expressing herself through poetry. Always eager to learn, she continuously explores new trends in blockchain and digital assets. She believes in the power of storytelling to make complex crypto topics more accessible and engaging for readers worldwide.