South Korean experts suggested that the recent Upbit breach may have stemmed from high-level mathematical exploitation targeting flaws in the exchange’s signature and random number generation systems.
Rather than a traditional wallet compromise, this attack appears to leverage a subtle nonce bias pattern embedded in millions of Solana transactions. This approach requires advanced cryptographic expertise and large amounts of computational resources.
Sponsored Sponsored
Technical analysis of the breach
On Friday, Kyoungsuk Oh, CEO of Upbit operator Dunamu, issued a public apology for the Upbit incident, acknowledging that the company discovered a security flaw that could allow an attacker to guess private keys by analyzing a large number of Upbit wallet transactions published on the blockchain. However, his statement raised immediate questions about how private keys could be stolen through transaction data.
The next day, Hansung University professor Jae-woo Cho provided insight into this breach, linking it to a biased or predictable nonce within Upbit’s internal signature system. This method exploited subtle statistical patterns in the platform’s encryption rather than the typical ECDSA nonce reuse flaw. Cho explained that an attacker could examine the millions of leaked signatures, infer bias patterns, and ultimately recover the private key.
This perspective is consistent with recent research showing that ECDSA nonces in affine relationships create significant risks. A 2025 study on arXiv demonstrated that just two signatures with such associated nonces could expose a private key. As a result, extracting private keys becomes much easier for attackers who can collect large datasets from exchanges.
The level of technical sophistication suggests that an organized group with advanced cryptographic skills carried out this exploit. According to Cho, identifying minimal bias across millions of signatures requires not only mathematical expertise but also extensive computational resources.
Following this incident, Upbit moved all remaining assets to a secure cold wallet and stopped deposits and withdrawals of digital assets. The exchange also pledged to recover losses from its reserves and immediately bring damage control.
Sponsored Sponsored
Scope and security implications
Evidence from South Korean researchers shows that hackers not only accessed exchange hot wallets, but also personal deposit wallets. This indicates that the sweep privilege key, or even the private key itself, has been compromised, which could indicate a major security breach.
Another researcher noted that if the private keys were made public, Upbit could be forced to overhaul its security systems, including hardware security modules (HSM), multiparty computation (MPC), and wallet structures. This scenario raises questions about internal controls, indicates possible insider involvement, and puts Upbit’s reputation at risk. The scope of the attack highlights the need for robust security protocols and strict access controls across major exchanges.
This incident shows that even highly engineered systems can hide mathematical weaknesses. Effective nonce generation must guarantee randomness and unpredictability. Detectable biases create vulnerabilities that attackers can exploit. Organized attackers are becoming increasingly capable of identifying and exploiting these flaws.
Research on ECDSA security measures has highlighted that errors in randomness during nonce creation can lead to sensitive information being leaked. The Upbit story illustrates how theoretical vulnerabilities can lead to significant real-world losses if attackers have the expertise and motivation to exploit them.
Timing and industry impact
The timing of the attack fueled community speculation. The incident occurred exactly six years after a similar Upbit breach in 2019, which was attributed to North Korean hackers. Additionally, this hack coincided with the announcement of a major merger involving Naver Financial and Upbit’s parent company Dunamu.
There are conspiracy theories online about coordination or inside information, while others suggest the attack could mask other motives, such as internal embezzlement. Although clear technical evidence of complex mathematical exploits points to a sophisticated attack by cybercriminals, critics say the pattern still reflects long-standing concerns about South Korean exchanges.
“We all know these exchanges are slaughtering retail traders by listing dubious tokens and letting them disappear with no liquidity,” one user wrote. While some people pointed out that “two overseas altcoin exchanges recently committed similar acts and disappeared,” others directly criticized the company, asking, “Is this just internal embezzlement and they used company funds to plug the hole?”
The 2019 Upbit incident revealed that organizations aligned with North Korea had previously targeted major exchanges to evade sanctions through cyber theft. It is unclear whether state-backed actors were involved in this incident, but the sophisticated nature of the attack remains a concern.
