LastIncident
CeFiCritical

CeFi – Upbit Solana Hot-Wallet Exploit

Exchange: Upbit

Chains: Solana Occurred: 11/26/2025, 7:42:00 PM

Summary

Upbit detected abnormal withdrawals in Solana-network assets: approximately ₩540B (~$36–38M) in Solana-based tokens were transferred from an Upbit hot wallet to an unauthorized external address, prompting an immediate halt to all deposits and withdrawals.

Estimated loss
$37.0M
Assets impacted
SOL, USDC, BONK, JUP, RAY, LAYER, ORCA, PYTH, RENDER
Status
Confirmed abnormal Solana hot-wallet withdrawals
References

What happened

In the early hours of November 27, 2025 (KST), Upbit observed abnormal withdrawals affecting a set of Solana-network tokens. Around 04:42 KST, the exchange identified that Solana-ecosystem assets had been transferred from an Upbit-controlled hot wallet to an external address that was not designated internally. In response, Upbit triggered an emergency shutdown of all digital asset deposits and withdrawals, initiated a review of its wallet systems, and began moving remaining Solana-based funds from hot wallets to cold storage to prevent further loss.

Timeline

  1. T0 – 2025-11-27 04:42 KST: Abnormal Solana withdrawals detected
    Upbit detects that a subset of Solana-network assets has been withdrawn from an exchange-controlled hot wallet to an unauthorized external address.
  2. T1 – Emergency halt of deposits and withdrawals
    To protect customer assets, Upbit suspends all digital asset deposits and withdrawals and announces an urgent inspection of its wallet system.
  3. T2 – Containment: funds moved to cold storage, partial freezes
    Remaining Solana-based assets are transferred from hot wallets to cold storage, and a portion of attacker-linked funds (including a significant LAYER position) is frozen with the cooperation of counterparties.
  4. T3 – Public explanation and compensation commitment
    In notice 5800, Upbit explains the abnormal Solana-network withdrawals, apologises to users, and states that all losses will be covered using Upbit’s own assets, with no impact on customer balances.
  5. T4 – Phased resumption with new deposit addresses
    Following additional security work, Upbit begins sequentially reopening deposits and withdrawals on selected networks and requires all users to generate new deposit addresses, invalidating previously issued addresses.

Impact

Upbit stated in its official notice that the loss from the abnormal Solana-network withdrawals would be covered using the exchange’s own assets, with no reduction in customer balances. During the incident and subsequent inspection period, users experienced halted deposits and withdrawals across the platform and temporary delays in accessing funds while the scope of the incident and security measures were evaluated.