Upbit, South Korea’s largest cryptocurrency exchange, suffered a high-speed hack that siphoned off digital assets worth about $33 million in less than an hour, spotlighting the country’s still-maturing regulatory regime for virtual assets.
The breach took place in the early hours of October 27, beginning at 4:42 a.m. and ending by 5:36 a.m. local time. During the 54-minute window, roughly 100.4 billion units of 24 different Solana-based tokens were transferred to an unknown external wallet—averaging about $1,000 worth of assets per second.
In terms of token volume, the meme-coin BONK made up 99.1% of the total coins taken, valued at around $1.1 million. By financial value, however, Solana (SOL) represented the biggest single loss at approximately $14 million. Other affected tokens included FutjiPenguin and OfficialTrump, with losses of $2.9 million and $2.2 million, respectively.
Upbit said it moved quickly to contain the incident internally, suspending deposits and withdrawals for Solana-based tokens by 5:27 a.m. and halting all crypto deposits and withdrawals by 8:55 a.m.
But the exchange did not notify the Financial Supervisory Service, South Korea’s primary financial watchdog, until 10:58 a.m.—more than six hours after first detecting the abnormal outflows. Public disclosure came even later, via the company’s website at 12:33 p.m.
The delayed reporting has drawn scrutiny, particularly because it coincided with a major corporate event: the completion of a merger between Upbit’s parent firm, Dunamu, and Naver Financial, which was finalized shortly before 10:50 a.m. that same morning.
“As the country’s leading exchange, Upbit delayed reporting for over six hours despite losing assets worth tens of millions of dollars,” said Kang Min-kook, a lawmaker on the National Assembly’s Finance Committee. “We must determine whether vulnerabilities stemmed from the Solana platform’s structure or from Upbit’s own internal controls.”
Under South Korea’s current virtual-asset rules, exchanges have no direct legal obligation to compensate users for losses from hacks, nor do they face prescribed penalties for such breaches. The FSS has launched an on-site inspection of Upbit, but observers expect little in the way of formal punishment.
“This is not a matter to overlook,” said FSS Governor Lee Chan-jin. “At the same time, there are clear limits to what regulators can do under existing law.”
South Korea’s Electronic Financial Transactions Act imposes strict liability on traditional financial institutions for transaction security, even in the absence of proven fault—but cryptocurrency exchanges are excluded from its scope. Similarly, the Virtual Asset Service Provider Act, which took effect in July 2022, emphasizes user protection but lacks explicit penalties for hacks or operational failures.
Authorities are now drafting so-called “Phase 2” legislation designed to hold exchanges financially liable for losses from large-scale system failures or cyberattacks. Under current rules, exchanges must store at least 80% of user assets in offline cold wallets—a requirement Upbit says it met. The exchange has also stated that all stolen assets will be covered, so users will bear no financial loss.
“Upbit’s priority was to block any further unauthorized withdrawals,” a company spokesperson said. “Once the breach was confirmed, we notified regulators without delay.”
Industry experts warn that without stricter, enforceable IT security mandates and clear accountability mechanisms, South Korean crypto platforms will continue to operate with limited liability—leaving investors exposed in an era of increasingly sophisticated cyberattacks.
