Korea opens sanctions case against Upbit over $36M hack delay
South Korea's FSS sent Dunamu a formal inspection letter over the $36M Upbit hack, but the law has no hacking penalty clause.

South Korea's Financial Supervisory Service has sent Dunamu, the operator of Upbit, an inspection opinion letter over the exchange's $36 million hack from last November. That letter, reported by Yonhap News on Sunday, formally opens a sanctions procedure and gives Dunamu a chance to respond before the FSS proposes penalties.
What the numbers show
The breach lasted about 54 minutes, starting at 4:42 a.m. KST on November 27. Upbit didn't announce it until the end of that day, after a Naver Financial merger event had concluded. Upbit says it froze roughly 2.3 billion won, about $1.5 million, of the stolen funds and is covering the rest of the $36 million loss from its own balance sheet. It's also built an "Onchain AI Tracer System" to trace and recover funds, and it migrated assets out of the affected wallets after overhauling its wallet architecture. None of that changes the core problem the FSS is now examining: Korea's Virtual Asset User Protection Act has no explicit sanctions clause for hacks or computer system failures. Officials say the gap will get patched in the second phase of the Digital Asset Basic Act, but that's a future fix, not a present one. Upbit is still Korea's third-largest exchange by CoinMarketCap's spot rankings, based on traffic, liquidity and volume.
Why the timing matters more than the hack
The real question here isn't whether Upbit got hacked. Exchanges get hacked. The question is whether Dunamu sat on the news for commercial reasons, and whether a regulator can actually punish that under current law. Delaying disclosure until a merger event wrapped up is the kind of decision that looks defensible internally and terrible externally, and it's the disclosure timing, not the exploit itself, that's driving the sanctions process. That's a governance failure, not a security one.
The awkward part for the FSS is that it may find real wrongdoing and still lack a clean legal hook to sanction it. A law built to protect users from exchange misconduct that has no line item for "your systems got breached and you delayed telling people" is a law written for a different kind of scandal. Korea's regulators are effectively litigating this case in the gap between the rule they have and the rule they wish they had. Whatever penalty lands, it will be shaped as much by legal improvisation as by the facts of the breach.
That matters beyond Korea. Regulators everywhere are writing crypto rules reactively, and hacks keep outrunning the statute books. A framework built around custody, disclosure and licensing doesn't automatically cover a 54-minute wallet exploit followed by a same-day cover-your-tracks announcement. If Korea's FSS ends up sanctioning Dunamu on adjacent grounds, like disclosure violations or operational negligence, rather than anything hack-specific, that's the tell that the legal architecture is behind the threat model.
What happens next
Watch whether the FSS's final sanctions, once issued, cite disclosure timing specifically or something broader like risk-management failures, since that framing will show how regulators plan to handle the next hack before the Digital Asset Basic Act's phase two closes the gap. Also watch whether that phase two draft actually includes hacking-specific penalties when it's published, or whether the promise slips again.
