A South Korean expert has suggested that the recent Upbit breach may have originated from a high-level mathematical exploit targeting flaws in the exchange’s signature or random-number generation system.
Rather than a conventional wallet compromise, the attack appears to have leveraged subtle nonce-bias patterns embedded in millions of Solana transactions—an approach requiring advanced cryptographic expertise and significant computational resources.
Sponsored
Technical Analysis of the Breach
On Friday, Upbit operator Dunamu’s CEO Kyoungsuk Oh issued a public apology regarding the Upbit incident, acknowledging that the company had discovered a security flaw that allowed an attacker to infer private keys by analyzing a large number of Upbit wallet transactions exposed on the blockchain. His statement raised immediate questions about how private keys could be stolen through transaction data.
The next day, Professor Jaewoo Cho of Hansung University provided insight into the breach, linking it to biased or predictable nonces within Upbit’s internal signing system. Instead of typical ECDSA nonce-reuse flaws, this method exploited subtle statistical patterns in the platform’s cryptography. Cho explained that attackers could examine millions of leaked signatures to infer bias patterns and ultimately recover private keys.
This view aligns with recent studies indicating that affinely related ECDSA nonces create significant risks. A 2025 study on arXiv demonstrated that just two signatures with such related nonces can expose private keys. Thus, private key extraction becomes far simpler for attackers able to gather extensive datasets from exchanges.
The technical sophistication involved suggests that an organized group with advanced cryptographic skills executed this exploit. According to Cho, recognizing minimal bias across millions of signatures demands not only mathematical expertise but also significant computational resources.
In response to the incident, Upbit moved all remaining assets to secure cold wallets and halted digital asset deposits and withdrawals. The exchange has pledged to restore any losses from its reserves, indicating a commitment to immediate damage control.
Extent and Security Implications
Evidence from a Korean researcher indicates that hackers not only accessed the exchange’s hot wallet but also individual deposit wallets. This could point to the compromise of sweep-authority keys—or even the private keys themselves—signaling a serious security breach.
Another researcher indicated that if private keys were indeed exposed, Upbit would likely need to thoroughly overhaul its security systems, including its hardware security modules (HSM), multi-party computation (MPC), and wallet structures. This scenario raises critical questions about internal controls, hinting at possible insider involvement and jeopardizing Upbit’s reputation.
The breadth of the attack emphasizes the urgent need for robust security protocols and stringent access controls across major exchanges. It serves as a reminder that even meticulously designed systems can harbor mathematical weaknesses. Effective nonce generation is vital to ensure randomness and unpredictability; detectable bias creates vulnerabilities ripe for exploitation by savvy attackers.
Research into ECDSA safeguards highlights that faulty randomness in nonce creation can leak crucial key information. The Upbit incident illustrates how theoretical vulnerabilities can lead to significant real-world losses when skilled and motivated attackers choose to act.
Timing and Industry Impact
The timing of the attack has fueled community speculation. It occurred exactly six years after a comparable Upbit breach in 2019, attributed to North Korean hackers. Furthermore, the current breach coincides with the announcement of a major merger involving Naver Financial and Dunamu, Upbit’s parent company.
Online discussions have ignited conspiracy theories about possible coordination or insider knowledge. Others suggest that the breach could be a smokescreen for other motives, such as internal embezzlement. Although clear technical evidence indicates a complex mathematical exploit, there are lingering doubts about the integrity of security practices within Korean exchanges.
“Everyone knows these exchanges massacre retail traders by listing questionable tokens and letting them die with no liquidity,” one user commented. Others noted, “Two overseas altcoin exchanges recently pulled the same stunt and disappeared,” while another accusation directly challenged the company by stating, “Is this just internal embezzlement and plugging the hole with company funds?”
The previous Upbit breach underscored that North Korea-aligned entities had systematically targeted major exchanges to navigate sanctions through cyber theft. While the current incident’s ties to state-sponsored actors remains unclear, the advanced nature of the attack still raises concerns across the industry.
