Acquisition followed by theft: Upbit falls into security crisis again, done by North Korean hackers?

Author: Chloe, ChainCatcher

South Korean cryptocurrency exchange Upbit disclosed that it detected abnormal withdrawal activity around 4 AM today, with approximately 44.5 billion won (about 30.43 million USD) worth of Solana network assets (including SOL, USDC, and a number of smaller tokens) being transferred to an unspecified external wallet. Upbit stated, “We immediately confirmed the asset outflow caused by the abnormal withdrawal and will cover the entire amount with Upbit's assets to ensure that user assets are not harmed.”

Upbit has now frozen approximately 2.3 billion KRW (around 1.57 million USD) in funds, while other assets are still being tracked.

The exchange quickly locked down its infrastructure after the incident, transferring all assets to secure cold wallets to prevent unauthorized transfers, and conducted security audits on each wallet and signature system.

Coincidentally, on this day six years ago, Upbit was also hacked. According to Cryptonews, the incident was attributed to North Korean hackers, and at the time, the stolen ETH was worth approximately $41.5 million. After the theft, Upbit used its own funds to cover the entire amount and suspended trading for two weeks.

Currently, Upbit has stated that it is collaborating with multiple projects and relevant institutions to further freeze or recover stolen tokens, and is preparing to hand over the information to law enforcement agencies. According to Korean media BlockMedia, the Financial Supervisory Service's Virtual Asset Regulatory Bureau has immediately launched an inspection of the platform. The Financial Supervisory Service stated: “We are aware of this hacking incident and are currently investigating the origins of the hacking attack, the extent of the losses, and the measures taken to protect customer assets.”

Additionally, according to Beosin Trace analysis, some of the funds that flowed out abnormally from Upbit have started to be transferred. Addresses of Binance users (starting with 2zR) have received SOL that flowed out abnormally from Upbit through multiple intermediary addresses after this incident, with a total value of approximately $315,000 in SOL received.

The founder of Crypto Quant, Ki Young Ju, also posted on the X platform stating that after Upbit suspended withdrawals due to a hacking attack, arbitrage bots temporarily halted, allowing retail investors in South Korea to take the opportunity to drive up the prices of various altcoins on the platform.

had just announced the acquisition, and then paused deposits and withdrawals due to asset theft.

Yesterday, Upbit's parent company Dunamu just announced a merger with Naver Financial, with a transaction valuation of approximately 10.3 billion USD, making it one of the largest mergers in the history of South Korean finance. In addition to promoting the stability of the Korean won stablecoin and payment ecosystem, it also aims to pave the way for Upbit's listing in the United States.

According to previous reports, the boards of directors of both parties will merge through a full stock exchange method. In this share exchange, the exchange price per share for Dunamu is 439,252 won, and for Naver Financial, it is 172,780 won, with an exchange ratio set at 1:2.54. Meanwhile, Dunamu's co-founder will hold approximately 30% of the post-merger equity, becoming the largest shareholder. In order to avoid triggering South Korean antitrust regulations, Dunamu will delegate more than half of its voting rights to Naver, allowing the merger structure to pass smoothly.

Recently, Dunamu's financial report has solidified its leading position in the South Korean digital asset exchange market, with a net income growth of 300% year-on-year in the third quarter, reaching 165 million USD, which is over 300% growth compared to the same period last year. The performance of this financial report has provided a strong boost to the recent acquisition.

This acquisition further demonstrates the high degree of complementarity between the two parties' businesses. Naver, as a leading technology giant in South Korea, has extended its business scope from its initial search engine to multiple areas such as e-commerce (Naver Shopping), payments (Naver Pay), and digital content (Naver Webtoon), forming a complete commercial ecosystem. With the launch of Dunamu's self-developed L2 GIWA Chain, it is no longer limited to exchange operations, but has shifted towards the role of a blockchain infrastructure provider, which perfectly complements Naver's diversified business scenarios. Additionally, this merger lays the foundation for the Korean won stablecoin, which Dunamu is developing and will be primarily issued through Naver Pay, thereby achieving a complete link from the blockchain infrastructure to user-end payments.

However, due to the risks associated with stablecoins, compliance issues with exchanges, and market competition, this transaction still needs to be reviewed by the South Korean Financial Supervisory Service and the Fair Trade Commission. Additionally, at the beginning of November, Dunamu was fined approximately $25 million by the Financial Intelligence Unit (FIU) of South Korea for KYC violations. At the same time, the registration of new users and deposit/withdrawal services for Upbit were suspended for three months.

South Korea's regulators are cracking down on exchanges, posing challenges for Upbit's pursuit of a Nasdaq IPO.

This is one of the heaviest fines imposed on cryptocurrency exchanges in South Korea in recent years, and it is part of the South Korean government's extensive law enforcement action against anti-money laundering and KYC violations in the cryptocurrency industry.

The FIU stated, “During the anti-money laundering review of Dunamu, approximately 5.3 million KYC violation cases were discovered.” The agency also noted that Dunamu failed to report 15 suspicious transactions.

According to CoinDesk, Dunamu did not immediately plead guilty to the hefty fine and is even conducting an internal review to appeal. A spokesperson for Dunamu also emphasized that the FIU has made erroneous judgments in the past. “The FIU imposed a fine of 2 billion won on Hanbitco due to KYC deficiencies of about 200 users, but the Seoul court later revoked the fine, ruling that the case did not constitute money laundering.”

However, this time the South Korean regulatory authorities did not back down and conducted thorough searches of Dunamu, Korbit, GOPAX, Bithumb, and Coinone. According to the FIU report, during the review of their anti-money laundering and other regulatory compliance, it was found that Bithumb, Coinone, Korbit, and GOPAX had also violated multiple regulations.

As South Korea's largest cryptocurrency exchange, the penalties faced by Upbit since the beginning of the month and the asset theft incident today coincide with the announcement of the merger plan by Dunamu and Naver Financial just yesterday. Especially during this sensitive period when Upbit is considering seeking a Nasdaq IPO after the merger, it undoubtedly poses a challenge to its expansion plans.