Upbit to restart deposits on December 1 after $37 million Solana wallet hack
South Korean cryptocurrency exchange Upbit has announced that it will reopen digital asset deposits and withdrawals on December 1 at 1:00 PM KST, following a major security breach that resulted in roughly $37 million worth of Solana-based tokens being stolen.
As part of the restart, the platform is enforcing a complete overhaul of user deposit infrastructure. All previously issued deposit addresses have been permanently disabled, and every customer will be required to generate new wallet addresses before sending any funds to the exchange.
Full reset of deposit addresses
Upbit stated that every deposit address tied to user accounts has been deleted as part of its security hardening measures. The company emphasized that this reset applies to all supported cryptocurrencies, not just Solana ecosystem assets.
Users are being urged to:
– Log into their Upbit accounts and request new deposit addresses for each digital asset they intend to use.
– Remove or update any old Upbit deposit addresses previously stored in personal wallets, mobile apps, hardware wallets, or on other exchanges.
– Avoid sending funds to any outdated address, as doing so may cause significant delays and, in some cases, may require manual intervention to recover deposits.
The exchange warned that attempting to use legacy addresses following the restart could lead to processing issues, slower crediting times, or additional verification steps.
Details of the November 27 breach
The incident took place on November 27, 2025, when attackers gained unauthorized access to one of Upbit’s hot wallet systems. Approximately 44.5 billion KRW in assets—estimated between $30 million and $36–37 million USD—were siphoned off in the attack.
Unlike the 2019 breach, which mainly impacted Ethereum (ETH) held by the exchange, the latest exploit focused on the Solana ecosystem. The stolen funds largely consisted of:
– Solana (SOL)
– USD Coin (USDC) on Solana
– Meme token Bonk (BONK)
– Other tokens within the Solana-based environment
South Korean investigators have indicated that the tactics and patterns resemble those of the Lazarus Group, a cybercrime organization widely believed to be linked to North Korea. While the investigation is ongoing, authorities consider the group a prime suspect behind the operation.
Exchange to cover all customer losses
Upbit has pledged to fully compensate users affected by the theft using its own corporate reserves. According to the exchange, no customer will directly bear the financial loss resulting from the compromised hot wallet.
Immediately after detecting the suspicious transfers, the platform froze all deposits and withdrawals to prevent further damage and to initiate a forensic review of its infrastructure. Throughout the suspension period, the exchange continued to operate trading services for assets already held on the platform, while working on security enhancements in the background.
Cooperation with token projects and frozen assets
In response to the incident, Upbit collaborated with token issuers and project teams to mitigate the impact of the stolen funds. Through coordinated efforts, roughly $8.18 million worth of specific tokens, including LAYER, were frozen.
These frozen tokens are effectively rendered unusable for the attackers, as they can no longer be transferred or sold on compliant platforms. The secured amount represents about 22% of the overall value taken during the breach, meaning a sizable fraction of the stolen assets has been neutralized.
Phased reopening of services
Deposits and withdrawals will not resume for all coins and tokens at once. Instead, Upbit will bring services back online in a staged manner:
– Only assets whose wallet systems have passed new security checks and maintenance reviews will be reactivated first.
– Additional assets will be added over time as their networks complete inspections and stability tests.
– Staking services and NFT deposits linked to networks that have been cleared will restart only after the company confirms stable operation under the new safeguards.
Any deposits sent during the shutdown period will start appearing in user accounts after the restart, processed sequentially in the order they were received. Upbit cautions that these backlog transactions may take extra time to reconcile and display.
Important notes for users
Upbit is advising customers to be aware of several practical issues surrounding the restart:
– Price discrepancies: Market prices may have shifted significantly during the suspension. Balances will be restored as they were, but users should recognize that the fiat value of their assets could differ from the time of the hack.
– Airdropped tokens: For assets distributed via airdrops, only withdrawal functionality may resume in some cases, with no guarantee of renewed trading support.
– Delisted or unsupported assets: Coins and tokens that previously lost trading support or were placed on watchlists may remain limited to withdrawals only.
– Pre-existing suspensions: Any assets that were already under separate suspension before the hack-related maintenance may stay unavailable until their original issues are resolved.
Users are encouraged to double-check the current status of each asset before initiating transactions after December 1.
Why Upbit is forcing new wallet addresses
Resetting every deposit address may seem drastic, but it reflects how centralized exchanges typically react to severe security incidents. By invalidating all existing addresses and deploying a refreshed wallet infrastructure, Upbit aims to:
– Remove any lingering vulnerabilities tied to old address-generation or key-management systems.
– Prevent attackers from exploiting previously compromised infrastructure in follow-up attacks.
– Ensure new addresses adhere to updated policies, security modules, or monitoring tools introduced after the breach.
This approach also allows the exchange to integrate more robust internal controls, including improved risk monitoring, transaction analysis, and anomaly detection across all networks it supports.
Hot wallets, cold storage, and security trade-offs
The incident again highlights the inherent risk of hot wallets—online wallets connected to the internet and used to facilitate rapid deposits and withdrawals. While hot wallets are essential for providing instant liquidity and a smooth trading experience, they present more attack surfaces than cold storage, which keeps private keys offline.
Exchanges typically store only a fraction of client funds in hot wallets, with the majority held in cold wallets that are far more difficult to compromise. The fact that Upbit could commit to fully covering customer losses suggests that a substantial portion of its reserves remained untouched in secure storage.
This balance between user convenience and security is a constant tension for centralized platforms. Each new hack in the industry often leads to updated policies, greater segmentation of wallets, and more conservative exposure limits on hot wallets.
Regulatory and compliance implications
As one of South Korea’s largest crypto trading platforms, Upbit operates in a tightly watched regulatory environment. Large-scale hacks not only affect users but also draw attention from financial regulators concerned with consumer protection, anti-money laundering controls, and systemic risk.
The suspected involvement of the Lazarus Group adds a geopolitical and sanctions-compliance dimension. Funds linked to sanctioned actors can trigger international scrutiny and may force exchanges to upgrade their screening tools, transaction monitoring systems, and reporting mechanisms.
Regulators in the region have already signaled an intention to apply stricter oversight to exchanges, particularly around security standards and risk management frameworks. Incidents like this are likely to accelerate demands for more transparent audits, mandatory insurance policies, or capital buffers to protect end users.
What Upbit users should do now
For current Upbit customers, the most immediate steps are operational:
1. Log in after the restart time and confirm which digital assets are fully supported for deposits and withdrawals.
2. Generate new deposit addresses for each cryptocurrency you intend to send to the exchange.
3. Update saved addresses in your personal wallets, mobile apps, browser extensions, or exchange accounts where Upbit addresses may be stored.
4. Avoid using any old QR codes or address records, even if they appear valid; always copy the freshly generated address from your Upbit account.
5. Monitor your account over the first few days after services resume for delayed deposits or unexpected behavior and follow official support instructions if issues arise.
Users who received airdropped tokens or hold assets that lost trading support should check whether those tokens are now limited to withdrawals only, and plan their portfolio decisions accordingly.
Broader lessons for crypto investors
The Upbit hack is another reminder that even large, well-known exchanges can be targeted successfully. While customers may be reimbursed in this case, prolonged service suspensions, address resets, and uncertainty can still be disruptive.
Investors can reduce their exposure to such events by:
– Using non-custodial wallets for long-term holdings and limiting exchange balances to what is actively needed for trading.
– Regularly reviewing saved deposit addresses, especially after major security announcements from platforms.
– Staying informed about security alerts, maintenance notices, and asset status updates issued by exchanges they use.
Looking ahead
With deposits and withdrawals scheduled to resume on December 1, Upbit is attempting to restore user confidence and normalize operations after one of the largest Solana-focused exchange hacks to date. The company’s commitment to fully covering losses from corporate reserves, combined with its decision to scrap all existing deposit addresses, signals an aggressive stance on damage control and security reinforcement.
However, the long-term impact will depend on how effectively the new wallet system performs, whether any additional vulnerabilities emerge, and how regulators view the incident. For the wider crypto ecosystem, the hack serves as another case study in the high stakes of centralized custody and the evolving tactics of state-linked cybercriminal groups.