Crypto

South Korean Regulator Targets Upbit Operator Dunamu Over $36 Million Hack

South Korea's FSS issues an inspection opinion letter to Dunamu as regulators look to close legislative gaps around exchange exploits.

South Korea’s financial watchdog is taking formal steps toward penalizing Dunamu, the parent company of major cryptocurrency exchange Upbit, following a devastating $36 million security exploit in late 2025. The move highlights growing regulatory scrutiny over how digital asset platforms manage security breaches and communicate risks to the public.

According to a report from local news outlet Yonhap News on Sunday, the Financial Supervisory Service (FSS) recently delivered an inspection opinion letter to Dunamu. In the South Korean regulatory framework, the issuance of an inspection opinion letter serves as the official opening salvo in a sanctions procedure. The document outlines the regulator’s preliminary findings and provides the targeted company with a formal window to respond before any official penalties or sanctions are finalized and levied.

The regulatory action stems from a security breach that occurred on November 27, 2025. The exploit itself was brief but highly damaging, lasting just 54 minutes after beginning at 4:42 a.m. KST. However, the core of the regulatory friction lies not just in the security failure itself, but in how Upbit handled the aftermath. Critics and regulators have pointed to a significant delay in the exchange’s public disclosure of the incident. While the hack occurred in the early morning hours, Upbit did not officially announce the breach until the end of the day—a delay that coincided with the conclusion of a high-profile, merger-related corporate event involving South Korean internet giant Naver Financial.

The FSS is currently investigating whether Upbit violated the country’s landmark Virtual Asset User Protection Act, which went into effect to establish basic standards for investor safety and asset custody. However, the regulator faces a complex legal hurdle: the current iteration of the Virtual Asset User Protection Act does not contain direct sanctions provisions specifically addressing cyberattacks or external computer hacks. Instead, the law primarily focuses on capital reserve requirements, the segregation of user funds, and unfair trading practices.

To close this regulatory loophole, South Korean authorities are reportedly planning to introduce robust sanctions and clear compensation guidelines for hacking incidents and systemic computer failures. These updates are slated to be integrated into the upcoming second phase of the Digital Asset Basic Act, a comprehensive legislative framework designed to establish deeper oversight of the domestic digital asset market.

Despite the regulatory pressure, Upbit has taken several proactive measures to mitigate the damage and protect its user base. Following the November exploit, the exchange successfully froze approximately 2.3 billion won (worth roughly $1.5 million) in stolen funds. Furthermore, Upbit committed to fully reimbursing all affected customers using assets from its own corporate balance sheet, ensuring that user balances remained unaffected by the breach.

To prevent future exploits, Upbit initiated a comprehensive overhaul of its cryptocurrency wallet architecture, migrating all digital assets away from the compromised wallet infrastructure to secure, newly designed addresses. Additionally, in December 2025, the exchange announced the deployment of the Onchain AI Tracer System, an internally developed, automated blockchain tracking tool designed to monitor the movement of the stolen funds in real-time and assist law enforcement in recovery efforts.

As the third-largest cryptocurrency spot exchange globally according to CoinMarketCap’s rankings—which evaluate platforms based on web traffic, liquidity, and overall trading volumes—Upbit’s regulatory challenges carry significant weight for both the domestic South Korean market and the broader global digital asset ecosystem.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button