In November 2025, Upbit, South Korea’s largest exchange, suffered a hot wallet breach resulting in about $36 million in losses. The attack, believed to be the work of a North Korean group like the Lazarus Group, led to the discovery of critical flaws within the exchange’s digital signature infrastructure.
Inside the Attack
Digital signatures are a critical component of the blockchain ecosystem, allowing transactions to be authenticated using only a signature and a public key. On a blockchain, where identity is tracked based on accounts rather than real-world identities, anyone can validate that a digital signature was generated using the private key associated with a particular account. If that’s the case, then the transaction is considered authentic since (theoretically) only the owner of the account knows that key.
Critically, digital signatures don’t reveal the associated private keys; however, in the case of the Upbit signing infrastructure, this wasn’t true. Upbit’s digital signature algorithms produced weak or predictable signing data that an attacker could use to derive the private keys from a history of past transactions, which would be recorded on-chain.
While this vulnerability hasn’t been proven to be the cause of the incident, it explains how attackers could have accessed the compromised hot wallet. The attackers stole various tokens from the Solana-based wallet, resulting in an estimated $36 million in losses.
After detecting the attack, the exchange froze deposits and withdrawals and moved remaining hot wallet assets to cold storage. An investigation revealed the weaknesses in the digital signature code and hinted that the attack might have been the work of the Lazarus Group. In addition to the technical sophistication of the hack and the money laundering that followed, the fact that the incident was on the day that the exchange’s parent company was acquired and the six-year anniversary of the exchange’s previous hack supports this, as other incidents attributed to the group also occurred on significant dates.
Lessons Learned from the Attack
The Upbit breach was potentially caused by a flaw in its digital signature algorithm, something that would take in-depth knowledge to identify and exploit. This points to social engineering for information gathering, combined with a high level of technical proficiency and mathematical knowledge to exploit the vulnerability.
It also aligns with a trend toward off-chain attacks by major threat groups. By allegedly targeting the exchange’s signing infrastructure, the attackers were able to gain total control over a major hot wallet and drain it of funds.
This incident shows the importance of performing in-depth security reviews of all DeFi project code, both on-chain and off-chain. Halborn offers security advisory and smart contract auditing services to help DeFi projects address their entire threat landscape. Get in touch to learn more about our services.