As of mid-afternoon South Korea time, Solana-based tokens were trading with double-digit gains on Upbit following a hack that stole approximately 44.5 billion won ($32 million).
CryptoQuant CEO Ki Young Ju noted that Korean traders began pushing up altcoin prices when arbitrage robots, which normally keep Korean and international prices aligned, stopped working.
The service suspension created an immediate disconnect between the Korean and global crypto markets.
As of mid-afternoon local time, ORCA was trading at a 95.6% premium to global prices on Upbit, while Meteora was trading at an 82% premium and Raydium at a 46% premium, according to exchange data.
The divergence reflects how heavily Korean retail relies on Upbit, which processes the majority of the country’s digital asset volume.
Without active arbitrage keeping Korean won-denominated pairs in line with dollar markets, local buying pressure drove up premiums in all Solana ecosystem tokens affected by the breach.
Upbit hit with hack
South Korean exchange Upbit suspended digital asset deposits and withdrawals on November 27 after detecting unauthorized transfers in Solana network tokens from a hot wallet.
The breach occurred around 4:42 a.m. local time when 24 Solana-based assets, including SOL, JUP, ORCA, and BONK, were moved to undesignated external wallets.
Upbit confirmed that cold wallet holdings were not compromised and immediately moved all remaining assets to secure cold storage. CEO Oh Kyung-seok pledged to cover the entire loss using the platform’s own reserves.
The exchange froze approximately 2.3 billion won in Solayer on-chain and continues to track the remaining funds in cooperation with project teams and authorities.
Upbit operator Dunamu revised down its initial damage estimate of 54 billion won after recalculating asset prices at the time of the breach.
Oh stated that customers will not suffer losses and that a comprehensive security review of the entire deposit and withdrawal system is being carried out before services resume.
Cold storage remains in place, but hot wallet design is questioned
Upbit’s statement emphasized that the breach affected only one hot wallet used for operational liquidity and that the cold wallet’s segregated reserves remained intact.
The exchange did not disclose technical details of how the unauthorized withdrawals occurred or whether the breach was due to compromised private keys, infrastructure vulnerabilities, or internal access.
At press time, no autopsy has been published. Upbit asked users to report suspicious activity through its customer service center and said it is cooperating with investigating authorities.
The exchange plans to resume deposit and withdrawal services sequentially as security reviews confirm the stability of the system.
South Korea’s Financial Services Commission has not yet issued a public statement on the breach. Upbit operates under the country’s Virtual Asset Service Provider framework and must maintain reserve ratios and segregate customer funds, although the application of these requirements has varied.
The $32 million loss is among the largest exchange breaches of 2025, but is still well below the scale of historical attacks like Mt. Gox, the $600 million Ronin Bridge exploit, or the $1.4 billion Bybit exploit.
Upbit’s decision to freeze Solayer tokens on-chain illustrates one of the few recourse mechanisms available when assets are moved to identifiable addresses. However, the majority of stolen funds remain unrecovered.
Upbit has not provided a timeline for restoring normal operations. The exchange said the security confirmation will determine when deposit and withdrawal services will resume, without giving a specific date for completing the security review.
