Inside the Upbit Solana Hot Wallet Hack: $36.8 Million Analysis
By [Your Name] – Security Research Team
Introduction
On November 27, 2025, South Korean exchange Upbit suffered a major security breach: its Solana hot wallet was compromised, resulting in a loss of approximately $36.8 million (44.5 billion KRW). The stolen assets included SOL, USDC, BONK, JUP, PYTH, ORCA, RENDER, and TRUMP tokens. This post provides a detailed on-chain analysis of the attack.
The Attack Vector
Investigators determined that the attacker gained access to the private key of Upbit’s hot wallet. Hot wallets are constantly connected to the internet, making them more vulnerable than cold storage. The exact method of key compromise remains under investigation—possible causes include phishing, insider threat, or malware.
On-Chain Analysis
Blockchain forensics firm Scorechain identified 50 destination addresses that received funds from the compromised wallet. Below is a sample of addresses from the dataset (full list available via threat intelligence platforms).
| Address | Estimated Value (USD) | Transaction Count | First Activity |
|---|---|---|---|
| Example1… (address truncated) | $1.2M | 15 | Nov 27, 2025 |
| Example2… (address truncated) | $850K | 8 | Nov 27, 2025 |
| Example3… (address truncated) | $2.1M | 22 | Nov 27, 2025 |
Note: Actual addresses are publicly available on Solscan; we recommend researchers explore them directly.
Fund Flow Patterns
The attacker moved funds across multiple chains using cross-chain bridges like Wormhole. Early analysis shows that most of the stolen assets remain idle in the destination wallets as of early 2026, suggesting the attacker may be waiting for laundering opportunities or law enforcement pressure.
Comparison to Other Exchange Hacks
| Hack | Date | Amount | Status |
|---|---|---|---|
| Upbit (Solana) | Nov 2025 | $36.8M | Funds mostly idle |
| Bybit | Feb 2025 | $1.5B | Being laundered by Lazarus Group |
| Ronin Bridge | Mar 2022 | $625M | Partially recovered |
Lessons for Exchange Security
- Hot wallet risks: Keys must be rotated frequently and stored with multi-signature controls.
- Geographic distribution: Signing keys should be distributed across multiple secure locations.
- Real-time monitoring: Unusual outflows should trigger immediate freezes.
Research Resources
The full list of 50 destination addresses can be obtained from Scorechain’s report or by querying Solscan for transactions from Upbit’s hot wallet address. Researchers are advised to use blockchain explorers and threat intelligence platforms rather than engaging with dark web sources.
Update: Law enforcement agencies, including the FBI and South Korean authorities, are actively monitoring these addresses.
