• A Korean expert says the Upbit breach likely stemmed from a high-level mathematical exploit involving biased nonces.
• Analysis suggests attackers inferred private keys by detecting subtle randomness flaws across millions of exposed Solana signatures.
• On-chain evidence shows the breach affected both hot and individual deposit wallets, presenting severe credibility risks for Upbit.

A South Korean expert has suggested that the recent Upbit breach may have originated from a high-level mathematical exploit targeting flaws in the exchange’s signature or random-number generation system.

Rather than a conventional wallet compromise, the attack appears to have leveraged subtle nonce-bias patterns embedded in millions of Solana transactions—an approach requiring advanced cryptographic expertise and significant computational resources.

Sponsored

Sponsored

Technical Analysis of the Breach

On Friday, Upbit operator Dunamu’s CEO Kyoungsuk Oh issued a public apology regarding the Upbit incident, acknowledging that the company had discovered a security flaw that allowed an attacker to infer private keys by analyzing a large number of Upbit wallet transactions exposed on the blockchain. His statement, however, raised immediate questions about how private keys could be stolen through transaction data.

The next day, Professor Jaewoo Cho of Hansung University provided insight into the breach, linking it to biased or predictable nonces within Upbit’s internal signing system. Rather than typical ECDSA nonce-reuse flaws, this method exploited subtle statistical patterns in the platform’s cryptography. Cho explained that attackers could examine millions of leaked signatures, infer bias patterns, and ultimately recover private keys.

This perspective aligns with recent studies showing that affinely related ECDSA nonces create a significant risk. A 2025 study on arXiv demonstrated that just two signatures with such related nonces can expose private keys. As a result, private key extraction becomes far easier for attackers who can gather large datasets from exchanges.

The level of technical sophistication suggests an organized group with advanced cryptographic skills conducted this exploit. According to Cho, identifying minimal bias across millions of signatures requires not only mathematical expertise but also extensive computational resources.

In response to the incident, Upbit moved all remaining assets to secure cold wallets and halted digital asset deposits and withdrawals. The exchange has also pledged to restore any losses from its reserves, ensuring immediate damage control.

Sponsored

Sponsored

Extent and Security Implications

Evidence from a Korean researcher indicates that hackers gained access not only to the exchange’s hot wallet but also to individual deposit wallets. This may point to the compromise of sweep-authority keys—or even the private keys themselves—signaling a grave security breach.

Another researcher points out that, if private keys were exposed, Upbit could be forced to comprehensively overhaul its security systems, including its hardware security modules (HSM), multi-party computation (MPC), and wallet structures. This scenario raises questions about internal controls, indicating possible insider involvement and placing Upbit’s reputation at risk. The extent of the attack highlights the need for robust security protocols and strict access controls across major exchanges.

The incident illustrates that even highly engineered systems can conceal mathematical weaknesses. Effective nonce generation must ensure randomness and unpredictability. Detectable bias creates vulnerabilities that attackers can exploit. Organized attackers are increasingly capable of identifying and leveraging these flaws.

Research into ECDSA safeguards stresses that faulty randomness in nonce creation can leak key information. The Upbit case shows how theoretical vulnerabilities can translate into major real-world losses when attackers have the expertise and motivation to exploit them.

Timing and Industry Impact

The attack’s timing has fueled community speculation. It occurred exactly six years after a comparable Upbit breach in 2019, which was attributed to North Korean hackers. Furthermore, the hack coincided with the announcement of a major merger involving Naver Financial and Dunamu, Upbit’s parent company.

Online, some conspiracy theories about coordination or insider knowledge, while others suggest the attack could mask other motives, such as internal embezzlement. Although the clear technical evidence of a complex mathematical exploit points to a highly advanced attack by cybercriminals, critics say the pattern still mirrors longstanding concerns about Korean exchanges:

“Everyone knows these exchanges massacre retail traders by listing questionable tokens and letting them die with no liquidity,” one user wrote. Others noted, “Two overseas altcoin exchanges recently pulled the same stunt and disappeared,” while another accused the company directly: “Is this just internal embezzlement and plugging the hole with company funds?”

The 2019 Upbit case showed that North Korea-aligned entities had previously targeted major exchanges to evade sanctions through cyber theft. Although it’s unclear if the current incident involved state-sponsored actors, the advanced nature of the attack remains concerning.

Disclaimer