Upbit is investigating a major security incident after tens of millions of dollars in Solana-based tokens were drained from one of its hot wallets. The exchange has halted all transfers and launched a forensic review, marking one of the largest Korean exchange breaches in recent years.
A High-Speed Drain on Solana Triggers Emergency Response
Upbit disclosed that an attacker managed to access a Solana hot wallet and move funds across a wide mix of tokens before the exchange could react. On-chain data shows dozens of assets were swept into an unidentified address, including SOL, BONK, JUP, RAY, PYTH, RNDR, USDC, and several smaller ecosystem tokens.
Learn more: NFTPlazas Explains: A Completed Guide about Solana
The withdrawals were executed within a tight window, a pattern security analysts say is common in Solana-related breaches because of the network’s fast finality. Once a private key is compromised, an attacker can move through token balances quickly, leaving little room for defensive intervention.
Upbit moved quickly after detecting the breach, freezing all deposits and withdrawals while it worked to contain the damage. The exchange said customer balances were unaffected and that losses from the compromised wallet will be covered using corporate funds. That message helped calm nerves in the Korean market, where Upbit dominates local trading activity and plays a central role in liquidity.
Investigation Expands as Upbit Rebuilds Wallet Infrastructure
Work behind the scenes has intensified. Upbit’s security team is rotating keys, deploying new wallets and isolating infrastructure connected to the breached address. The exchange is also coordinating with Solana developers and outside forensic firms to track the attacker’s movements and prevent the stolen assets from reaching other trading platforms.
The Solana blockchain itself was not affected, but the incident has revived a long-running debate around hot-wallet safety on high-throughput networks. Exchanges maintain limited hot-wallet balances for operational liquidity, but Solana’s fast settlement leaves little time to block unauthorized transfers once a key is compromised.
This is not unfamiliar territory for Upbit. After its 2019 hack, the exchange shifted most of its holdings into cold storage. Even so, the latest breach shows that keeping a minimal hot-wallet footprint does not eliminate exposure if access credentials are compromised.South Korean regulators, who have tightened oversight under the Virtual Asset User Protection Act, are expected to review the incident closely.
Market Impact and What Comes Next
Market reaction to the breach was limited, with traders citing Upbit’s swift disclosure and its commitment to absorb the loss as key factors stabilizing local liquidity. Korean trading pairs held steady while investigators continued to track movements from the compromised wallet.
The incident has renewed scrutiny of centralized exchanges’ dependence on hot wallets, particularly on high-speed networks such as Solana, where unauthorized transfers can be executed before security systems detect them. Analysts said the combination of rapid settlement and online wallet exposure remains a structural vulnerability for the industry.
Upbit aims to restore deposit and withdrawal services only after its new wallet infrastructure passes security audits. The exchange is expected to publish a full breakdown of the incident once investigators complete their work, a report that regulators and industry operators will be watching closely.
The breach highlights ongoing operational risks at the custodial layer, even when the underlying blockchain remains secure. With Solana’s trading share rising, exchanges are likely to face closer scrutiny over how they manage real-time liquidity and protect wallets that must remain online.
