Upbit Internal Control Weakness Exposed in KRW 44.5B Hot-Wallet Hack

South Korea’s largest cryptocurrency exchange, Upbit, has once again suffered a major security breach—this time involving approximately KRW 44.5 billion in assets transferred from its hot wallet to unauthorized addresses. The incident has intensified concerns about Upbit internal control weakness, especially as it coincided with the Naver Financial–Dunamu merger, a development regulators worry could amplify systemic risks without robust oversight.

Although Upbit confirmed that cold wallets were not compromised, regulators from the FSS(Financial Supervisory Service) and the FSI(Financial Security Institute) immediately initiated on-site inspections. This fact was also reported to the KISA(Korea Internet & Security Agency). A key structural issue persists, Upbit is not classified as an electronic financial services provider, meaning it is not obligated to comply with mandatory IT-security standards required of regulated financial institutions—deepening the perception of Upbit internal control weakness.

The breach also renews scrutiny of Korea’s delayed Phase 2 Digital Asset Framework Act, which seeks to implement standardized cybersecurity, internal-control, and consumer-protection rules for exchanges. Without these legal safeguards, the consolidation of Naver and Dunamu into a Web2–Web3 fintech conglomerate raises additional concerns over data governance, AML compliance, and operational stability.

As Korea accelerates its broader digital-asset regulatory efforts, this incident highlights the urgent need to address Upbit internal control weakness through enforceable security standards, transparent governance, and strengthened regulatory accountability.

Read more: FSC Rejects Bank of Korea’s Stablecoin Emergency Powers