South Korea's Financial Supervisory Service has sent an inspection opinion letter to Dunamu, the operator of the country's dominant crypto exchange Upbit, according to Cointelegraph. The letter is the formal start of a sanctions procedure over a hack that took place last November.

The distinction matters and is easy to lose. This is the opening of a process, not a penalty. The letter gives Dunamu the opportunity to respond to the regulator's findings and contest them before any proposed sanction is set. No fine has been announced and none may be.

What happened in November

The breach occurred on November 27, 2025. Attackers drained roughly $36 million from one of Upbit's hot wallets, the internet-connected wallets exchanges use to process withdrawals, over a window of about 54 minutes beginning at 4:42 a.m. Korean time.

The distinction between hot and cold storage is central to how these incidents happen. Cold wallets are kept offline and are effectively unreachable remotely, but funds in them cannot be moved quickly. Hot wallets are online so customers can withdraw on demand, which is exactly what makes them the target. Every exchange runs a balance between the two, and that balance is what regulators scrutinise after a theft.

Upbit reimbursed affected customers in full from its own balance sheet, froze roughly 2.3 billion won, about $1.5 million, of the stolen funds, upgraded its wallet architecture and launched an on-chain tracing system in December to follow the money.

The disclosure timing drew the criticism

The part that attracted the most scrutiny was not the theft but the announcement. Upbit disclosed the hack at the end of the day, after a Naver Financial merger event had concluded.

That sequencing is the kind of thing regulators tend to take seriously, independently of the security failure itself. A listed or soon-to-be-consolidated financial firm choosing when to reveal a material incident touches disclosure obligations rather than cybersecurity rules, and it is often the easier thing for an authority to act on.

The regulator has a legal problem

There is an awkwardness at the centre of this case. Korea's Virtual Asset User Protection Act, the law that brought exchanges under supervision, contains no direct sanctions provisions for cyberattacks or hacks.

That leaves the FSS working through adjacent obligations, such as internal controls, risk management and disclosure, rather than a rule that says an exchange is liable for being breached. Korean authorities plan to address the gap in a second phase of the Digital Asset Basic Act.

This is not unique to Korea. Most crypto regulation written in the past few years focused on the failures regulators had already seen, meaning custody of customer assets, reserve backing and market conduct. Theft by external attackers sits awkwardly in that framework, because the exchange is simultaneously the victim and the party with the duty to prevent it.

Why Upbit specifically matters

Upbit is not a marginal venue. It ranks third among crypto spot exchanges globally by trading volume, and it dominates its home market, which is one of the most retail-heavy crypto markets in the world.

That concentration is the systemic argument for tighter supervision. In a market where a single exchange handles a large share of national trading, an outage, insolvency or successful attack is not an isolated commercial failure but an event affecting a substantial share of the country's retail investors at once.

It also explains why the process now beginning is worth watching beyond Korea. Regulators elsewhere are wrestling with the same question: what an exchange owes its customers when it is robbed, and whether reimbursing them in full, as Upbit did, is a mitigating factor or simply the baseline expectation.