South Korea's Financial Supervisory Service (FSS) recently sent an inspection opinion letter to Dunamu, the operator of Upbit, initiating enforcement proceedings approximately seven months after a hacking incident that resulted in the theft of 44.5 billion won in virtual assets. The hack occurred on November 27 when approximately 100 billion Solana-network coins valued at 44.5 billion won were transferred to external wallets during a 54-minute window from 4:42 AM to 5:36 AM. The FSS action follows criticism of Dunamu's delayed disclosure—the company announced the breach only after a merger event with Naver Financial concluded on the day of the incident—and addresses potential violations of the Virtual Asset User Protection Act, though current law lacks direct sanctions for hacking and system failures.
The hacking incident at Upbit, South Korea's largest virtual asset exchange, took place on November 27 from 4:42 AM to 5:36 AM, during which approximately 100 billion Solana-network coins valued at 44.5 billion won were transferred to external wallets. Dunamu disclosed the breach only after the conclusion of a merger event with Naver Financial on the same day, drawing criticism for delayed notification to users and regulators.
Of the 44.5 billion won in stolen assets, Dunamu froze and initiated recovery procedures for 2.6 billion won. The company fully compensated user losses totaling 38.6 billion won using Upbit's own assets, according to financial authorities and industry sources.
The FSS will proceed with an explanation procedure before sending a sanction opinion letter to Dunamu that specifies the level of penalties. Final sanctions will be determined through reviews by the Sanction Review Committee, the Securities and Futures Commission, and the Financial Services Commission. FSS Governor Lee Chan-jin stated at a press conference at the end of last year that while there are "relative limitations" in sanction authority, "this is not something that will simply be overlooked."
The Virtual Asset User Protection Act focuses primarily on user protection and unfair trading practices and does not contain direct sanctions for hacking or system failures. Authorities plan to include hacking and system failure sanctions and compensation provisions in the second-stage virtual asset legislation (Digital Asset Basic Act).
The FSS has also completed its inspection of Bithumb following an incident in which an employee mistakenly entered "Bitcoin" instead of "won" as the unit, resulting in the erroneous payment of 620,000 Bitcoin valued at 60 trillion won to 249 users. The FSS will initiate enforcement proceedings against Bithumb once legal review is completed.
Including the Dunamu and Bithumb cases, the top five virtual asset exchanges in South Korea self-reported a total of 57 hacking and system incidents over the six-year period from 2020 to April 2026. The breakdown by exchange is: Upbit 26 incidents, Bithumb 14 incidents, Gopax 8 incidents, Coinone 6 incidents, and Korbit 3 incidents.
What enforcement action did the FSS take against Dunamu after the Upbit hack?
The FSS sent an inspection opinion letter to Dunamu approximately seven months after the November 27 hacking incident, initiating enforcement proceedings. The FSS will send a sanction opinion letter after an explanation procedure, with final sanctions determined through reviews by the Sanction Review Committee, the Securities and Futures Commission, and the Financial Services Commission.
How much did Dunamu recover and compensate following the 44.5 billion won hack?
Dunamu froze and initiated recovery procedures for 2.6 billion won of the stolen assets. The company fully compensated user losses totaling 38.6 billion won using Upbit's own assets.
Why does the Virtual Asset User Protection Act have limited sanctions for hacking incidents?
The Virtual Asset User Protection Act focuses primarily on user protection and unfair trading practices and does not contain direct sanctions for hacking or system failures. Authorities plan to include hacking and system failure sanctions and compensation provisions in the second-stage virtual asset legislation (Digital Asset Basic Act).
Related News
South Korea Refers 30+ Crypto Unfair Trading Cases After 2-Year Crackdown
South Korea Plans Digital Asset Basic Law Enactment Within the Year
South Korea Raises Single-Stock Leveraged ETF Deposit to 30M Won
South Korea Stocks: Authorities Tighten Single-Stock Leveraged ETF Rules Amid Volatility
SBI Holdings Acquires Coinhako Majority Stake in Singapore Expansion