Upbit, a cryptocurrency exchange based in South Korea, claims that there is “no excuse” for the “inadequate security management” that led to a significant private key vulnerability on its site.
The CEO of Upbit’s parent company, Dunamu, Oh Kyung-seok, said in a statement today that the vulnerability was discovered during an examination of public Upbit wallet transactions on the blockchain and could allow hackers to guess another user’s private keys.
The details of the hack
“This intrusion incident resulted from inadequate security management at Upbit, and there is no excuse for this,” Oh said in an apology for the 44.5 billion Won ($30 million) loss from the company’s Solana hot wallet, which was translated from Korean using DeepL.
The CEO disclosed that 2.3 billion Won was frozen and that 38.6 billion Won ($26.2 million) was made up of “member losses.” Oh also asserted that business losses accounted for the remaining 5.9 billion Won ($4 million).
According to Oh’s statement, Upbit was able to fix the private key estimate problem and use its remaining reserves to fully repay customer damages.
“To protect member assets, Upbit has suspended digital asset deposits and withdrawals, is tracking digital assets moved outside of Upbit, and is taking freezing measures,” it claimed.
Hack linked to North Korea
Authorities believe North Korea’s Lazarus Group was responsible for the breach, according to South Korean news agency Yonhap News, and an on-site probe at Upbit is in progress. The organisation had already targeted Upbit six years prior when it stole $50 million worth of ether in 2019.
“Upbit has consistently strived to safeguard member assets, but this incident has once again made us realise that there is no such thing as perfect security preparedness,” the cryptocurrency exchange stated today.
In a study this year, the cryptocurrency security company CertiK issued a warning on the possibility that hackers may guess or even recreate the private keys of cryptocurrency wallets.
It demonstrates how a brute force assault may be used to exploit the private key generator Profanity, and it was probably the cause of a private key leak that resulted in the $160 million breach of the market maker Wintermute.
Because Profanity’s address generator only has “2^32 possible initial key pairs and each iteration is reversible, attackers could recover any Profanity-generated private key from its corresponding public key,” CertiK claimed.
Also Read: Naver Financial To Merge With Dunamu, Bringing Upbit Under Naver’s Fintech Arm