Full Report
Talk about buyer’s remorse South Korean web giant Naver has had an interesting week, after it acquired a cryptocurrency exchange that the next day revealed it had suffered a serious cyberattack.…
Analysis Summary
# Incident Report: Upbit Cryptocurrency Heist Post-Acquisition
## Executive Summary
South Korean web giant Naver announced the acquisition of cryptocurrency exchange Upbit (operated by Dunamu Corp) on Wednesday, November 27, 2025. The very next day, Upbit disclosed a significant cyber incident resulting in an unauthorized withdrawal of approximately $30 million (₩44.5 billion) in Solana cryptocurrency. Upbit suspended deposits and withdrawals to investigate and promised to reimburse affected customers from its own assets.
## Incident Details
- **Discovery Date:** November 28, 2025, 05:27 KST (initial suspension)
- **Incident Date:** November 28, 2025 (Unauthorized withdrawal confirmed)
- **Affected Organization:** Upbit (Dunamu Corp)
- **Sector:** Financial Services / Cryptocurrency Exchange
- **Geography:** South Korea
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-November 28, 2025 (Time of compromise unknown)
- **Vector:** System compromise leading to unauthorized transaction capability.
- **Details:** The attack vector is not explicitly detailed, but it allowed attackers to initiate large-scale crypto transfers.
### Lateral Movement
- **Details:** Not specified in the source material. Focus appears to be on direct access to the hot wallet system for immediate theft.
### Data Exfiltration/Impact
- **Date/Time:** November 28, 2025, confirmed by 12:33 KST.
- **Details:** Approximately ₩54 billion (later adjusted to ₩44.5 billion, or $30 million) worth of **Solana** cryptocurrency was withdrawn fraudulently.
### Detection & Response
- **Date/Time:** 05:27 KST (Initial detection via abnormal activity).
- **Details:**
- **05:27 KST:** Upbit suspended deposits and withdrawals for Solana wallets, citing maintenance.
- **08:55 KST:** Language changed to "emergency maintenance."
- **12:33 KST:** Upbit admitted an "abnormal withdrawal situation" following the theft.
- **Response:** Extra security measures were implemented, and Upbit committed to covering all customer losses using company assets.
## Attack Methodology
The article does not provide full technical details (MITRE ATT&CK mapping unavailable). Based on the impact:
- **Initial Access:** Unknown (Likely systems compromise targeting wallet management).
- **Lateral Movement:** Unknown.
- **Privilege Escalation:** Assumed successful to gain ability to initiate large internal crypto transfers.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown (Compromised keys/accounts for wallet signing).
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Focused on identifying and accessing the Solana hot wallet.
- **Exfiltration:** Direct transfer of Solana cryptocurrency out of Upbit's control.
- **Impact:** Financial theft confirmed.
## Impact Assessment
- **Financial:** $30 million (₩44.5 billion) stolen.
- **Data Breach:** Not specified if customer personal data was accessed, but significant cryptocurrency assets were directly stolen.
- **Operational:** Deposits and withdrawals for Solana were suspended temporarily, impacting exchange operations for that specific coin.
- **Reputational:** Significant negative impact, occurring immediately after Naver's acquisition announcement, leading to evident "buyer's remorse" for Naver.
## Indicators of Compromise
*Indicators are based on the immediate operational response and are non-specific.*
- **Network Indicators:** Unknown unauthorized outbound transactions from high-value wallets.
- **File Indicators:** Unknown.
- **Behavioral Indicators:** Abnormal withdrawal patterns concerning the Solana cryptocurrency hot wallet.
## Response Actions
- **Containment Measures:** Immediate suspension of all deposits and withdrawals for Solana cryptocurrency wallets.
- **Eradication Steps:** Investigation launched (details unspecified).
- **Recovery Actions:** Commitment to reimburse all affected customers using company funds.
## Lessons Learned
1. **Due Diligence Timing:** Critical security posture review failed to uncover or prevent an imminent major breach, overshadowing a massive corporate acquisition. Security audit timing relative to M&A must prioritize pre-closing threat assessment.
2. **Hot Wallet Exposure:** The theft suggests a significant compromise of the hot wallet infrastructure, highlighting the perennial risk of holding large liquid assets accessible online.
## Recommendations
1. **Enhanced Pre-Acquisition Security Audits:** Implement rigorous, independent, in-depth penetration testing and security hardening reviews *before* acquisitions are finalized, particularly for high-value financial targets like crypto exchanges.
2. **Improved Wallet Segmentation:** Isolate hot wallet exposure by minimizing holdings or moving to more secure multi-signature or cold storage solutions where permissible by operational needs.
3. **Advanced Threat Hunting:** Given Upbit's history of being targeted by nation-state actors (implied North Korean linkage), security monitoring should assume a persistent, sophisticated adversary.