Korean scrutiny intensifies over Binance role in the Upbit hack fund freeze

South Korean regulators and analysts are dissecting Binance reaction to the Upbit hack as they hunt for better global protections against fast-moving crypto thefts.

Binance froze only a fraction of Upbit hack funds

According to investigators, only 17% of the assets flagged for freezing by Upbit and police were actually locked down, local media reported on Friday. Moreover, security analysts said the hacking group executed an elaborate laundering strategy on the morning of November 27, rapidly scattering the stolen assets through more than a thousand wallets.

The attackers repeatedly broke the funds into smaller portions and moved them through multiple chains. They also relied on token bridges and swaps to obscure their on-chain trail. However, authorities said most of the laundered assets eventually landed in service wallets on Binance, underscoring the pivotal role of large centralized exchanges in incident response.

Upbit and police requested an immediate freeze on roughly 470 million won (about $370,000) worth of Solana confirmed to have reached the exchange. That said, Binance froze only 80 million won (about $75,000), saying it required additional verification before imposing wider restrictions on the funds.

The limited action was confirmed around midnight on the day of the incident, approximately 15 hours after the original request. When questioned by Korean broadcaster KBS about the narrow scope and delay in the freeze, Binance declined to address specifics, citing its policy on active investigations. The company said only that it “continues to cooperate with the relevant authorities and partners in accordance with appropriate procedures,” a statement that left many details unanswered.

Binance Experts call for faster, coordinated global freeze mechanisms

That explanation has not satisfied several experts in South Korea. Cho Jae-woo, director of Hansung University‘s Blockchain Research Institute, argued that rapid intervention is essential to minimize user losses in attacks of this scale. To prevent damage from hacking, he said, a swift initial freeze is vital, yet exchanges often cite litigation risks as a reason for hesitating.

Moreover, Cho suggested that the industry should explore establishing a global emergency hotline between exchanges or a coordinated body empowered to impose immediate freezes in crisis situations. In this context, he said a more standardized binance freeze response and similar protocols at other platforms could significantly limit the damage from future cross-chain exploits.

Investigators say most of the stolen assets have since been converted from Solana to Ethereum. According to their analysis, this shift was likely aimed at improving liquidity, given Ethereum’s deeper markets and the broader availability of trading venues for the asset.

Railgun privacy tools and laundering across chains

On-chain analysts tracking the upbit hack have highlighted the use of Railgun, a privacy-focused smart contract system. One widely shared post noted that “The Upbit hacker is laundering funds through Railgun and has passed their ‘ZK proof of innocence'” and described the mechanism as an automated system that checks whether an address belongs to a good actor using multiple forensic data providers.

However, the same commentary added that users can rely on Railgun’s explorer to verify addresses, illustrating how privacy tools, zero-knowledge proofs and compliance layers can coexist in a complex way. That said, the incident also underscores how railgun zk laundering and similar tools can complicate enforcement when funds move rapidly between chains and mixers.

Security researchers say the hackers’ tactics, including laundering across chains, token swaps, and bridge hops, made timely freezing even more critical. Moreover, they argue that without better coordination among major exchanges, tracing Solana stolen funds tracking after they hit high-liquidity hubs like Binance or other venues will remain challenging.

Upbit’s cold storage overhaul after 44.5 billion won theft

As previously reported, Upbit is shifting nearly all customer assets into cold storage after hackers stole 44.5 billion won (about $30 million) from its Solana hot wallet. The breach prompted one of the strongest security responses yet by a major exchange, with operator Dunamu accelerating a comprehensive custody overhaul.

Dunamu said the platform will raise its cold wallet ratio to 99% and reduce hot wallet exposure to effectively zero. Moreover, this goes far beyond South Korea‘s legal requirement that 80% of user funds be stored offline, positioning Upbit’s model as one of the most conservative in the domestic market.

The exchange already held 98.33% of assets in cold storage at the end of October, the highest among local platforms. However, the breach pushed management to move even closer to a fully cold-based system. In practical terms, this large upbit cold storage move is designed to sharply limit the amount of crypto accessible to online attackers at any given time.

Upbit hack investigations, Binance, and Lazarus Group suspicions

Meanwhile, South Korean authorities have launched a formal investigation into the upbit exchange hack. Local reports have cited early intelligence assessments that allegedly connect the intrusion to North Korea‘s Lazarus Group, a cybercrime organization already linked to several major crypto thefts in recent years.

However, officials have not yet released definitive public evidence supporting the lazarus group allegations. Investigators are continuing to track fund flows on Solana and Ethereum, including transfers through privacy tools, as they attempt to build a more complete picture of the operation and its ultimate beneficiaries.

In summary, the Upbit incident has exposed critical gaps in global exchange coordination, from delayed freezes to limited cross-chain monitoring. As regulators, exchanges and researchers study the fallout, pressure is mounting for more agile international mechanisms that can halt stolen funds in minutes, not hours, when the next large-scale crypto attack occurs.