News came to light recently about a major flaw discovered and rectified in the internal wallet system of Upbit, a South Korean exchange system. The flaw came to light during an emergency investigation that followed the theft of $30 million. The connection between the vulnerability of the system and the theft, however, is not clear-cut.
Oh Kyung-seok, the CEO of Upbit, issued a company statement stating that during an analysis of the firm’s publicly visible wallet transactions on the blockchain, the exchange detected a serious system fault. This flaw allowed potential hackers to deduce private keys. In normal blockchain transactions such vulnerabilities are not apparent, however Upbit’s wallet software had a unique weakness. This system weakness created weak or predictable signature data, which in turn provided an opportunity for an attacker to, by analysing past onchain transactions, mathematically reconstruct certain wallet private keys. The reason behind this system vulnerability lies in a severe bug in Upbit’s implementation of its system.
In the follow-up of irregular withdrawals from its Solana-related wallets on November 27th the vulnerability was discovered. The relationship between the breach and this vulnerability was, however, not directly linked by the exchange. The inspection that followed the detection of this fault included all relevant networks and wallet systems. During this comprehensive review process, the vulnerability was identified and rectified, stated CEO Oh Kyung-seok. In light of this system vulnerability, the company activated an emergency response and all deposits and withdrawals have been put on hold until further notice. Business operations will only continue when the company’s infrastructure has been thoroughly checked and verified as secure.
The Impact of the Cyberattack
In the announcement issued by the company, Upbit confirmed that the cyberattack resulted in a total loss of approximately 44.5 billion KRW or roughly $30 million. Customer assets made up an estimated $26 million of the 38.6 billion KRW. The company also announced that a portion of the stolen funds amounting to about 2.3 billion KRW or roughly $1.5 million has already been frozen.
Commitment to Security and Responsibility
In light of these events, Upbit is now engaged in a thorough security review across its infrastructure. The exchange acknowledged the event as a stern reminder that no security system can ever be considered perfect, but made a commitment to effect several system upgrades in order to avoid future data breaches. Upbit has also pledged to provide regular public updates on their progress and will be resuming deposits and withdrawals as soon as their wallet systems are proven secure in the final checks. The exchange has taken the responsibility to cover all customer losses using its own reserves.
Suspicious Activities and Investigations
Following abnormal Solana-based outflows, which included tokens such as SOL, ORCA, RAY and JUP among others, on November 26, the crypto exchange immediately suspended withdrawals. The exchange then subsequently moved the remaining assets to cold storage and began a total wallet overhaul. Being the largest exchange in South Korea, operating under its parent company Dunamu, Upbit is currently preparing for a merger with Naver, an internet conglomerate, in the wake of a potential public market listing. Investigations into the incident, which have also been opened by South Korean authorities, are ongoing.
Recently, local media outlets reported intelligence assessments that suggested the possible involvement of North Korea’s Lazarus Group in the cyberattack on Upbit. While this involvement has not yet been publicly confirmed by either Upbit or regulatory bodies, Upbit continues to work in tandem with law enforcement and blockchain projects. The goal is to freeze and recover as many of the stolen assets as possible.
Please note that this article is descriptive and informative in nature and is not intended as legal, tax, financial, investment or any other form of advice. The events described herein are as reported at the time of writing and do not necessarily reflect future or current events.
