.png){kind=logo}
On November 27, 2025, Upbit published an updated incident notice confirming that an abnormal withdrawal had taken place from one of its Solana-network hot wallets. In Notice ID 5800, the exchange reported that 44.5 billion KRW in digital assets had been transferred to unknown external wallets at 04:42 KST. Upbit later revised the initial estimate of 54 billion KRW after adjusting for market prices at the time. In response, the exchange suspended all Solana deposits and withdrawals, isolated the compromised wallet and moved remaining assets into cold storage, assuring users that all losses would be covered by corporate funds.
The attack involved more than twenty Solana-based tokens, including SOL, USDC, BONK, RENDER, LAYER, JUP, PYTH, ORCA and TRUMP. Hundreds of transfers were executed within minutes, indicating that the attacker had gained private-key access and deployed automated draining scripts. The pattern across unrelated assets supports Upbit’s statement that the breach originated from the hot wallet environment rather than the Solana protocol itself.
Blockchain activity prior to the exploit shows that the destination wallets used in the attack were newly created, a common tactic to reduce traceability. Upbit confirmed that approximately 2.3 billion KRW worth of LAYER tokens were successfully frozen in collaboration with the Solaire team. The rest of the drained tokens remain idle at the time of writing, although further movements are expected as the attacker attempts to move funds across chains.
From a compliance standpoint, the incident underscores the importance of real-time on-chain monitoring for multi-asset hot wallets. With Upbit having publicly disclosed all affected addresses, VASPs and financial institutions can screen for exposure and update internal risk scoring. Historically, attackers moving Solana-based stolen assets often bridge them through Wormhole or similar cross-chain infrastructures before fragmenting them into stablecoins, making early detection crucial.
Regulators, including those implementing the Korean Virtual Asset User Protection Act and FATF guidelines, emphasize strong key management, minimal hot-wallet balances and anomaly detection. This incident demonstrates how quickly liquidity can be drained once a single operational key is compromised, especially in a high-throughput environment like Solana.
To support monitoring efforts, a structured dataset containing 50 confirmed destination addresses(main account) linked to the exploit has been prepared. The file includes address identifiers, estimated values in USD, transaction counts and first/last activity timestamps.
Scorechain Graph Analysis
%20(2).png)
The graph above illustrates how funds flowed into the compromised Upbit hot wallet before the unauthorized withdrawals occurred. Multiple Upbit-operated wallets supplied routine operational liquidity, with several high-value transfers — including 461,080 USD and 380,760 USD — arriving in quick succession. This confirms the wallet’s active operational role before the breach. The clustering of timestamps shortly before the incident suggests that the attacker acted once the wallet held sufficient value, consistent with a private-key compromise. This visual snapshot helps clarify how the wallet was funded and why significant losses occurred so rapidly once unauthorized access was gained.
Further Observations
The combination of the dataset and the visual analysis helps reconstruct pre-exploit behaviour, identify irregular movement patterns and understand how the attacker timed the unauthorized withdrawals. Scorechain’s analytics capabilities allow institutions to trace flow paths, detect unusual activity, monitor cross-chain movements and strengthen their internal monitoring frameworks in the aftermath of incidents like this.
As the situation develops, continued monitoring of the attacker’s addresses will be important. Any new movement such as bridging, consolidation or exchange interactions will provide further insight into the methods used to move the stolen funds. With an increasingly interconnected ecosystem, clear visualisation and structured intelligence remain essential for assessing potential risks and preventing further exposure.
