Technical Analysis of the Breach
A South Korean expert has suggested that the recent Upbit security breach might have originated from a sophisticated mathematical exploit targeting weaknesses in the exchange’s signature or random-number generation system. This wasn’t your typical wallet compromise—it appears the attackers leveraged subtle patterns in millions of Solana transactions, an approach that requires both advanced cryptographic knowledge and substantial computing power.
Last Friday, Upbit operator Dunamu’s CEO Kyoungsuk Oh publicly apologized for the incident, acknowledging that the company had discovered a security flaw that allowed an attacker to infer private keys by analyzing a large volume of Upbit wallet transactions visible on the blockchain. His statement immediately raised questions about how private keys could be stolen through transaction data alone.
Professor Jaewoo Cho of Hansung University provided some clarity the following day, linking the breach to biased or predictable nonces within Upbit’s internal signing system. Rather than typical ECDSA nonce-reuse flaws, this method exploited subtle statistical patterns in the platform’s cryptography. Cho explained that attackers could examine millions of leaked signatures, identify bias patterns, and eventually recover private keys.
This perspective aligns with recent research showing that affinely related ECDSA nonces create significant risks. A 2025 study demonstrated that just two signatures with such related nonces can expose private keys. This makes private key extraction much easier for attackers who can gather large datasets from exchanges.
The technical sophistication suggests an organized group with advanced cryptographic skills conducted this exploit. According to Cho, identifying minimal bias across millions of signatures requires not only mathematical expertise but also extensive computational resources.
Security Implications and Response
Evidence from Korean researchers indicates that hackers gained access not only to the exchange’s hot wallet but also to individual deposit wallets. This might point to the compromise of sweep-authority keys—or even the private keys themselves—signaling a serious security breach.
If private keys were indeed exposed, Upbit could be forced to completely overhaul its security systems, including hardware security modules, multi-party computation protocols, and wallet structures. This scenario raises questions about internal controls and suggests possible insider involvement, putting Upbit’s reputation at significant risk.
The incident shows that even well-engineered systems can hide mathematical weaknesses. Effective nonce generation must ensure true randomness and unpredictability. Detectable bias creates vulnerabilities that attackers can exploit, and organized attackers are increasingly capable of identifying and leveraging these flaws.
Research into ECDSA safeguards emphasizes that faulty randomness in nonce creation can leak key information. The Upbit case demonstrates how theoretical vulnerabilities can translate into major real-world losses when attackers have the expertise and motivation to exploit them.
Timing and Industry Impact
The attack’s timing has generated considerable speculation within the community. It occurred exactly six years after a similar Upbit breach in 2019, which was attributed to North Korean hackers. Additionally, the hack coincided with the announcement of a major merger involving Naver Financial and Dunamu, Upbit’s parent company.
Online discussions have produced various theories—some suggesting coordination or insider knowledge, while others propose the attack might mask different motives, such as internal embezzlement. Although the technical evidence clearly points to a complex mathematical exploit by sophisticated cybercriminals, critics note the pattern reflects longstanding concerns about Korean exchanges.
One user commented that “everyone knows these exchanges massacre retail traders by listing questionable tokens and letting them die with no liquidity.” Others noted that “two overseas altcoin exchanges recently pulled the same stunt and disappeared,” while another directly accused the company: “Is this just internal embezzlement and plugging the hole with company funds?”
The 2019 Upbit case showed that North Korea-aligned entities had previously targeted major exchanges to evade sanctions through cyber theft. While it’s unclear if the current incident involved state-sponsored actors, the advanced nature of the attack remains concerning for the broader cryptocurrency industry.
In response to the incident, Upbit moved all remaining assets to secure cold wallets and halted digital asset deposits and withdrawals. The exchange has pledged to restore any losses from its reserves, implementing immediate damage control measures.
