A fatal blow on the eve of a merger? Upbit's $36 million theft could impact its Nasdaq IPO plans.

Original article by Odaily Planet Daily ( @OdailyChina )

Author｜Wenser ( @wenser2010 )

Early this morning, Upbit, South Korea's largest centralized exchange (CEX), suffered a massive hacker attack, resulting in the loss of digital assets worth approximately $36.8 million (54 billion won). The operator, Doonamu, has confirmed the theft and suspended deposit and withdrawal services on its platform, promising to fully compensate users for their losses.

In South Korea, where cryptocurrency trading is rampant, Upbit has consistently dominated the market with its exceptionally high trading volume and massive liquidity, once boasting a market share as high as 80%. Benefiting from its deep pool of Korean won liquidity, Upbit is also considered another leading exchange besides Binance with a strong "listing effect," making it the preferred listing platform for many crypto projects. Recently, Upbit's parent company, Dunamu, is planning a merger with fintech company Naver Financial, forming an entity valued at approximately $13.8 billion (200 trillion Korean won) through a stock swap. The security incident has introduced further uncertainty into its future business development.

In February of this year, Bybit suffered a $1.5 billion theft, and the subsequent theft of Upbit, another leading platform, has once again raised concerns within the industry about the security of centralized exchanges. Odaily Planet Daily will provide a summary and brief analysis of the Upbit theft in this article.

Upbit's theft of over $36 million in assets, covering nearly 20 cryptocurrencies on the Solana network.

At 3:42 AM Beijing time today, the Upbit Solana hot wallet address suddenly experienced a large outflow of funds.

At 11:33 AM, Oh Kyung-seok, CEO of Doonamu, the operator behind Upbit, released a new announcement on the official website stating that the exchange had suffered a large-scale theft of funds, totaling 54 billion Korean won (approximately US$36.8 million). Deposits and withdrawals have been suspended to ensure user funds are unaffected. The company emphasized that it will bear the losses incurred by all customers due to this hacking incident.

Finally, it was mentioned that the stolen assets covered multiple cryptocurrencies in the Solana ecosystem: DoubleZero (2Z), AccessProtocol (ACS), Bonk (BONK), Doodles (DOOD), Drift (DRIFT), Huma (HUMA), InternetOfThings (IO), Jito (JTO), Jupiter (JUP), Layer (LAYER), Magic Eden (ME), CatInEldritchWorld (MEW), Moodeng (MOODENG), Orca (ORCA), Pengu (PENGU), Pyth (PYTH), Ray (RAY), Render (RENDER), Solana (SOL), SonicSVM (SONIC), Soon (SOON), OfficialTrump (TRUMP), USDCoin (USDC), and Wormhole (W).

Around 2 PM, Upbit officially updated its announcement as follows:

• The extent of the Solana network-related asset breach has been revised from 54 billion won to 44.5 billion won (approximately US$30.43 million).
• The amount of funds frozen in Solana Network has been revised from approximately 12 billion won to approximately 2.3 billion won (approximately US$1.57 million).
• This unusual withdrawal was confirmed to have occurred in Upbit's hot wallet; the assets in the cold wallet were not compromised or stolen.

Although the amount of stolen funds was far smaller than that of the Bybit theft, the attack and Upbit's suspension of deposits and withdrawals still had a series of short-term impacts on the crypto market.

Some Solana ecosystem tokens experienced a brief surge: ORCA rose by over 109%.

Following the theft, several Solana chain tokens on the Upbit platform experienced a brief surge in price, including:

• Orca's stock price rose by 104%;
• Meteora's increase was 89%;
• Raydium saw an increase of 51%, etc.

As of the time of writing, according to data from Upbit , ORCA still saw a daily increase of 109.49%; MET saw a daily increase of approximately 87%; RAY saw a daily increase of approximately 46%; and DOOD saw a daily increase of approximately 42%. Regarding the specific reasons for the surge, Crypto Quant founder Ki Young Ju stated that after Upbit suffered a hacker attack and suspended withdrawals, it's possible that the arbitrage bot temporarily shut down, allowing South Korean retail investors to take advantage of the situation and drive up the prices of various altcoins on the platform.

From this perspective, the concept of "stolen tokens" also applies to the South Korean crypto market, since stolen assets are also garnering significant market attention in a short period of time.

Stolen funds have begun to be transferred, with Binance becoming one of the destinations for these funds.

According to Beosin Trace's analysis , Upbit has an unusual outflow of approximately $36 million in crypto assets from the Solana network, and the funds have begun to be transferred across addresses.

Among them, Binance exchange user address 2zRELfpr2K…C2S8 received 2202.72 SOL tokens, worth approximately $315,000, from multiple transit addresses after the incident.

According to South Korean media outlet BlockMedia , following the Upbit security incident, the Cyber Terrorism Investigation Unit of the National Investigation Headquarters of the South Korean National Police Agency announced that it will conduct an on-site investigation of the headquarters of Upbit's operator, Dunamu, to investigate clues related to the Upbit hack. The Virtual Asset Supervision Bureau of the Financial Supervisory Authority of South Korea has also joined the on-site inspection, stating, " We are aware of the hack and are currently investigating the details of the attack, the extent of the damage, and the measures taken to protect customer assets. We expect to continue the on-site inspection until next Friday (December 5th). "

Following the imposition of a hefty 35.2 billion won (approximately US$24.35 million) fine earlier this month by the Financial Intelligence Unit (FIU) of the South Korean Financial Services Commission, the swift follow-up to this theft incident may have given Upbit and its operator, Dunamu, a real taste of the "coercive yet lenient approach" of regulators. This could also become a landmark event in South Korean regulators' tightening of policies and management over the cryptocurrency market.

Tightening South Korean regulations and the nationwide cryptocurrency craze: When Upbit becomes a buffer between regulatory agencies and the public.

It is worth mentioning that as young South Koreans and other investors flock to cryptocurrency trading, South Korean financial regulators are gradually tightening their oversight of cryptocurrency exchanges and crypto projects.

Han Suqi faces regulatory sanctions: Upbit was previously fined over $24 million.

Earlier this month, the Financial Intelligence Unit (FIU) of South Korea's Financial Services Commission announced that it had completed a fine of 35.2 billion won (approximately US$24.35 million) against Upbit operator Dunamu. This penalty is reportedly a follow-up to the three-month suspension and disciplinary action imposed on Dunamu executives and employees on February 25 this year . The reasons for the penalty include violations of the Specific Financial Information Act, involving transactions with undeclared virtual asset operators, failure to fulfill customer due diligence obligations, failure to implement transaction restrictions, and failure to report suspicious transactions.

In late November, the Financial Information Analysis Service (FIU) of Korea imposed sanctions on several centralized exchanges (CEXs) for violating anti-money laundering obligations. Following a "first-in, first-out" principle, the sanctions were imposed on institutions and individuals in the order of on-site inspections, along with fines. After sanctioning Dunamu, the FIU plans to take further action against the remaining virtual asset exchanges. Previously, the Financial Supervisory Service (FSS) had conducted on-site inspections of Upbit, Bithumb, Coinone, Korbit, and GOPAX since last year to examine their compliance with anti-money laundering obligations, including violations of Know Your Customer (KYC) procedures. The order of sanctions will follow the order of on-site inspections: Dunamu (August last year), Korbit (October), GOPAX (December), Bithumb (March this year), and Coinone (April). However, given that Bithumb recently underwent an additional on-site inspection due to order book issues, its sanctions may be delayed.

The sanctions process will be similar to that of Dunamu, first identifying individuals and institutions to be sanctioned, and then imposing fines. Previously, in February of this year, the FIU, under the Specific Financial Information Act, issued an accountability warning to Dunamu's CEO and imposed a heavy penalty on the institution, suspending new customer deposits and withdrawals for three months; and on the 6th, imposed a fine of 35.2 billion won.

The market anticipates that, given the similar nature of the violations committed by other exchanges (such as KYC breaches and failure to report suspicious transactions), the sanctions against Dunamu will be similar in severity, making heavy penalties almost inevitable, with fines potentially reaching tens of billions of Korean won. It is expected that the FIU's sanctions against the remaining four exchanges may not be completed this year, with most sanctions anticipated to conclude in the first half of next year (i.e., 2026) .

It's worth noting that on the 24th of this month, Upbit planned to IPO on Nasdaq in the US after completing its merger; subsequently, South Korean portal site Naver agreed yesterday to acquire Dunamu, the operator behind Upbit, in an all-stock transaction valued at approximately $10.3 billion. The deal reportedly involves Naver's fintech subsidiary, Naver Financial Corp., issuing 2.54 new Naver shares for every 1 Dunamu share it holds.

Behind the frenzied capital mergers and acquisitions and the increasingly stringent regulatory environment lies a "cryptocurrency craze" in South Korea that is becoming increasingly crazy and even spiraling out of control.

The rampant cryptocurrency trading in South Korea: Korean celebrities embezzle public funds to trade cryptocurrencies; a famous actress's husband loses 15 billion won in cryptocurrency trading.

According to data released by the analysis firm Kaiko in September of this year, South Korea has now become the world's second largest cryptocurrency trading country, with nearly one-third of South Koreans holding cryptocurrency positions on various exchanges; among them, traders aged 30 to 40 account for as much as 56%.

Nevertheless, for South Korean society, where the gap between rich and poor is widening, cryptocurrency trading remains a "high-risk game for the poor to try and turn their lives around." Data shows that users holding less than 500,000 won (approximately 2,419 yuan) in cryptocurrency account for 66% of all cryptocurrency users in South Korea, indicating a market characterized by "many retail investors and few institutional investors."

Aside from individual investors and young people, South Korea, with its developed entertainment industry, naturally has its share of eye-catching stories like "celebrities trading cryptocurrencies."

In June of this year, the news that "Jun Ji-hyun's husband lost 15 billion won in cryptocurrency trading" became a trending topic on Weibo and Baidu. According to South Korean media Chosun, Choi Joon-hyuk, the husband of famous South Korean actress Jun Ji-hyun and CEO of private equity fund operator Alpha Asset Management, suffered huge asset losses due to cryptocurrency. His company held 35 billion won worth of shares in the listed company Wemade. The virtual currency Wemix, issued by Wemade through its subsidiary, was delisted from Korean exchanges such as Upbit and Bithumb, causing Wemade's stock price to plummet and creating a ripple effect.

In August, South Korean prosecutors sought a three-year prison sentence for actress Hwang Jung-eum, who was indicted for allegedly embezzling 4.3 billion won (approximately US$3.07 million) from her company and investing in cryptocurrencies. Although her agency, Y1 Entertainment, had previously stated that Hwang Jung-eum had repaid the debt, prosecutors sought a three-year prison sentence for violating the Act on Aggravated Punishment of Specific Economic Crimes (embezzlement).

This is the most helpless choice for young people in South Korean society today—just like the South Korean film "Parasite" says, the poverty of the poor cannot be hidden.

For them, cryptocurrency trading has become one of their few remaining hopes for a turnaround. Furthermore, with South Korea's aging society, many elderly people have also joined the ranks of cryptocurrency traders . By the end of 2024, the number of cryptocurrency traders aged 60 and above in South Korea had reached 775,000.

Furthermore, when asked "What is the purpose of trading cryptocurrencies?", according to a survey conducted by JoongAng in June of this year, 40% of respondents said they bought cryptocurrencies as "an investment for retirement." A 45-year-old white-collar worker said that he now sets aside 1 million won per month to invest in Bitcoin as a way to prepare for his old age—"just like saving money."

But for individual investors in the market, getting rich quick is probably just a pipe dream, and for most people, the end result will be that their assets go to zero.

With tightening regulations and shrinking opportunities in the crypto market, and following the devastating black swan event of the Luna collapse in 2022, the South Korean crypto market has been forced into a period of short-sighted, exploitative practices. In the second half of the year, data showed that Upbit's stablecoin trading volume plummeted by as much as 80%.

In the past, as a "fig leaf" for social conflicts, South Korean gambling sites like Upbit were both a "stage" similar to casinos and a "factory" that contributed taxes and increased employment. Now, however, this buffer zone is facing a host of problems, including regulatory fines, hacking, and user churn. The once-protective buffer zone has now become precarious.

With the crypto market still in a period of volatility, the hacking attack may only be a passive factor that has forced Korean CEXs like Upbit to take steps toward regulatory compliance. More importantly, the question they face is how to find new market growth and profit models after experiencing a period of rapid, unregulated growth in the industry.

For ordinary users, perhaps we should be thinking about how to ensure our assets are spared from disaster, just like the level 5 fire that occurred yesterday in Hung Fook Court, Tai Po, Hong Kong, before our personal assets suffer irreparable losses from the exchange.

Recommended reading:

East Asia's most competitive country, where everyone is "borrowing" to speculate on cryptocurrencies.

South Koreans have turned cryptocurrency trading into esports.