Upbit uncovers private key vulnerability after $30M hack

South Korean crypto exchange Upbit says that there is “no excuse” for the “inadequate security management” that has led to a serious private key vulnerability on its platform.

Oh Kyung-seok, the CEO of Upbit‘s parent company, Dunamu, issued a statement today that claimed the vulnerability, which could allow would-be hackers to guess another user’s private keys, was discovered during its analysis of public Upbit wallet transactions on the blockchain.

Translated from Korean using DeepL, Oh apologized for the 44.5 billion Won ($30 million) theft from the firms Solana hot wallet, saying, “This intrusion incident resulted from inadequate security management at Upbit, and there is no excuse for this.”

Upbit says attackers might have inferred private keys by analyzing user wallet address patterns. If true, I doubt anyone other than North Korean hackers (Lazarus) could do this. pic.twitter.com/cS4I8okrVb

— Ki Young Ju (@ki_young_ju) November 28, 2025

CryptoQuant CEO Ki Young Ju thinks Lazarus might be the culprit of Upbits hack.

The CEO revealed that 38.6 billion Won ($26.2 million) consisted of “member losses” and that 2.3 billion Won was frozen. Oh also claimed that the other 5.9 billion Won ($4 million) was made up of company losses.

Oh‘s statement claims that Upbit was able to address the private key estimation vulnerability and also fully reimburse user losses with Upbit’s remaining reserves.

“To protect member assets, Upbit has suspended digital asset deposits and withdrawals, is tracking digital assets moved outside of Upbit, and is taking freezing measures,” it claimed.

Lazarus suspected of private key exploit

South Korean news outlet Yonhap News reported that authorities suspect the hack was the result of North Koreas Lazarus Group, and that an on-site investigation at Upbit is underway.

Upbit was previosuly targeted by the group six years ago when it stole $50 million worth of ether in 2019.

The crypto exchange said today that “Upbit has consistently strived to safeguard member assets, but this incident has once again made us realize that there is no such thing as perfect security preparedness.”

Crypto security firm CertiK has warned in a report this year about the potential for hackers to predict, or even reconstruct, the private keys of crypto wallets.

It highlights how the private key generator Profanity could be exploited via a brute force attack, and was likely the source of a private key leak that led to the $160 million hack of the market maker Wintermute.

Because Profanitys address generator only has “2^32 possible initial key pairs and each iteration is reversible, attackers could recover any Profanity-generated private key from its corresponding public key,” CertiK claimed.