A South Korean expert has suggested that the recent Upbit breach may have originated from a high-level mathematical exploit targeting flaws in the exchange’s signature or random number generation system.
Rather than compromising the conventional wallet, the attack appears to have leveraged subtle unbiased patterns embedded in millions of Solana transactions, an approach that requires advanced cryptographic expertise and significant computational resources.
Sponsored
Sponsored
Technical analysis of the violation
On Friday, Upbit operator Dunamu CEO Kyoungsuk Oh issued a public apology regarding the Upbit incident, acknowledging that the company had discovered a security flaw that allowed an attacker to infer private keys by analyzing a large number of Upbit wallet transactions exposed on the blockchain. However, his statement raised immediate questions about how private keys could be stolen through transaction data.
The next day, Professor Jaewoo Cho of Hansung University provided information about the breach, linking it to biased or predictable errors within Upbit’s internal signature system. Instead of the typical ECDSA non-reuse flaws, this method exploited subtle statistical patterns in the platform’s cryptography. Cho explained that attackers could examine millions of leaked signatures, infer patterns of bias, and ultimately recover private keys.
This perspective aligns with recent studies showing that affinity-related ECDSA nonces create significant risk. A 2025 study on arXiv showed that only two signatures with related data can expose private keys. As a result, extracting private keys becomes much easier for attackers who can collect large data sets from exchanges.
The level of technical sophistication suggests that an organized group with advanced cryptographic skills carried out this exploit. According to Cho, identifying minimal bias among millions of signatures requires not only mathematical expertise but also extensive computational resources.
In response to the incident, Upbit moved all remaining assets to secure cold wallets and stopped digital asset deposits and withdrawals. The exchange has also committed to restoring any loss to its reserves, ensuring immediate damage control.
Sponsored
Sponsored
Scope and security implications
Evidence from a Korean researcher indicates that hackers gained access not only to the exchange’s active wallet but also to individual deposit wallets. This may indicate that the compromise of sweep authority keys (or even the private keys themselves) indicates a serious security breach.
Another researcher notes that if private keys were exposed, Upbit could be forced to comprehensively overhaul its security systems, including its hardware security modules (HSM), multi-party computing (MPC), and wallet structures. This scenario raises questions about internal controls, indicating possible insider involvement and putting Upbit’s reputation at risk. The scope of the attack highlights the need for robust security protocols and strict access controls on major exchanges.
The incident illustrates that even highly engineered systems can hide mathematical weaknesses. Effective nonce generation must guarantee randomness and unpredictability. Detectable bias creates vulnerabilities that attackers can exploit. Organized attackers are increasingly able to identify and exploit these flaws.
Research into ECDSA safeguards emphasizes that faulty randomness in nonce creation can leak key information. The Upbit case shows how theoretical vulnerabilities can translate into significant real-world losses when attackers have the experience and motivation to exploit them.
Timing and impact on the industry
The timing of the attack has fueled community speculation. It occurred exactly six years after a comparable Upbit breach in 2019, attributed to North Korean hackers. Additionally, the hack coincided with the announcement of a major merger between Naver Financial and Dunamu, Upbit’s parent company.
Online, some conspiracy theorize about coordination or insider knowledge, while others suggest the attack could mask other motives, such as internal embezzlement. Although clear technical evidence of a complex mathematical exploit points to a highly advanced attack by cybercriminals, critics say the pattern still reflects long-standing concerns about Korean exchanges:
“Everyone knows these exchanges slaughter retail traders by listing questionable tokens and leaving them to die illiquid,” one user wrote. Others noted: “Two overseas altcoin exchanges recently pulled the same trick and disappeared,” while another directly accused the company: “Is this just internal embezzlement and plugging the hole with company funds?”
The 2019 Upbit case showed that North Korea-aligned entities had previously targeted major exchanges to evade sanctions through cyber theft. Although it is unclear whether the current incident involved state-sponsored actors, the advanced nature of the attack remains concerning.
