South Korean cryptocurrency markets were rocked by a dramatic and unexpected event. The Upbit exchange, the country's leading exchange by trading volume, suspended deposits and withdrawals of digital assets on 27 November, following a hacking attack that stole some 44.5 billion won ($32 million) in tokens based on the Solana network.
Upbit's Theft and Immediate Response
The breach occurred at around 4:42am local time, involving 24 Solana-based assets, including SOL, JUP, ORCA and BONK, which were transferred without authorisation from an operational hot wallet to undesignated external wallets. Upbit immediately confirmed that the reserves held in its cold wallets were not compromised and promptly moved all remaining assets into safe custody.
In a statement to reassure customers, the CEO of Upbit, Oh Kyung-seok, pledged to cover the entire loss using the platform's reserves. Upbit's operator, Dunamu, also revised downwards its initial damage estimate from 54 billion won after a recalculation of prices.
In addition, the exchange acted by freezing about 2.3 billion won in Solayer on-chain, working with authorities and project teams to track the remaining funds, most of which remain unrecovered.
Hyperbolic Premiums on the Local Market
Despite the alert and suspension of services, the local market reacted abnormally. By mid-afternoon South Korean time, Solana-based tokens were trading on Upbit with double-digit gains.
CryptoQuant CEO Ki Young Ju said noted that Korean traders started to drive up prices as arbitrage bots, which normally align Korean and international prices, stopped working.
Upbit got hacked and paused withdrawals, but Koreans are pumping alts since arbitrage bots are no longer running. pic.twitter.com/Y1AnRDqrgz
- Ki Young Ju (@ki_young_ju) November 27, 2025
This interruption created an immediate disconnect, highlighting how much Korean retail relies on Upbit. Disparities spiked: ORCA traded at a 95.6% premium to global prices. Similarly, Meteora traded at an 82% premium and Raydium at a 46% premium, driven by local buying pressure alone.
Review and lack of timing
Upbit initiated a comprehensive security review of the entire deposit and withdrawal system before services resumed. The exchange emphasised that the breach only affected the hot wallet for operational liquidity. However, no technical details on the cause of the breach were disclosed.
The exchange, which operates under the Korean regulatory framework, will resume deposit and withdrawal services sequentially as soon as security reviews confirm its stability.
However, Upbit did not provide a specific timeline for the completion of the audit or the restoration of normal operations. The $32 million loss ranks among the largest breaches in 2025, but is a far cry from the largest historical exploits.
