[ Story · STORY ]

Korea opens sanctions case against Upbit over $36M hack delay

South Korea's FSS sent Dunamu a formal inspection letter over the $36M Upbit hack, but the law has no hacking penalty clause.

STORY·July 19, 2026·3 min read·By Gintautas Nekrosius
A single cracked shield outline on cream ground, one red fissure running through it, empty space above
A regulator with a letter but no rulebook for the crime it's investigating.

South Korea's Financial Supervisory Service has sent Dunamu, the operator of Upbit, an inspection opinion letter over the exchange's $36 million hack from last November. That letter, reported by Yonhap News on Sunday, formally opens a sanctions procedure and gives Dunamu a chance to respond before the FSS proposes penalties.

What the numbers show

The breach lasted about 54 minutes, starting at 4:42 a.m. KST on November 27. Upbit didn't announce it until the end of that day, after a Naver Financial merger event had concluded. Upbit says it froze roughly 2.3 billion won, about $1.5 million, of the stolen funds and is covering the rest of the $36 million loss from its own balance sheet. It's also built an "Onchain AI Tracer System" to trace and recover funds, and it migrated assets out of the affected wallets after overhauling its wallet architecture. None of that changes the core problem the FSS is now examining: Korea's Virtual Asset User Protection Act has no explicit sanctions clause for hacks or computer system failures. Officials say the gap will get patched in the second phase of the Digital Asset Basic Act, but that's a future fix, not a present one. Upbit is still Korea's third-largest exchange by CoinMarketCap's spot rankings, based on traffic, liquidity and volume.

Why the timing matters more than the hack

The real question here isn't whether Upbit got hacked. Exchanges get hacked. The question is whether Dunamu sat on the news for commercial reasons, and whether a regulator can actually punish that under current law. Delaying disclosure until a merger event wrapped up is the kind of decision that looks defensible internally and terrible externally, and it's the disclosure timing, not the exploit itself, that's driving the sanctions process. That's a governance failure, not a security one.

The awkward part for the FSS is that it may find real wrongdoing and still lack a clean legal hook to sanction it. A law built to protect users from exchange misconduct that has no line item for "your systems got breached and you delayed telling people" is a law written for a different kind of scandal. Korea's regulators are effectively litigating this case in the gap between the rule they have and the rule they wish they had. Whatever penalty lands, it will be shaped as much by legal improvisation as by the facts of the breach.

That matters beyond Korea. Regulators everywhere are writing crypto rules reactively, and hacks keep outrunning the statute books. A framework built around custody, disclosure and licensing doesn't automatically cover a 54-minute wallet exploit followed by a same-day cover-your-tracks announcement. If Korea's FSS ends up sanctioning Dunamu on adjacent grounds, like disclosure violations or operational negligence, rather than anything hack-specific, that's the tell that the legal architecture is behind the threat model.

What happens next

Watch whether the FSS's final sanctions, once issued, cite disclosure timing specifically or something broader like risk-management failures, since that framing will show how regulators plan to handle the next hack before the Digital Asset Basic Act's phase two closes the gap. Also watch whether that phase two draft actually includes hacking-specific penalties when it's published, or whether the promise slips again.

Gintautas Nekrosius is the founder and editor of Stack and Story. He spent more than a decade in technology and crypto, including senior marketing roles at companies in the Animoca Brands and NordVPN groups, and worked on token launches and go-to-market from the inside. He started Stack and Story to write the independent read he could not find: crypto and markets explained plainly, by someone who has seen how the machine works. The publication holds no tokens and takes no trades.

DisclosureStack and Story holds no position in the assets discussed and earns nothing from their movement. This is analysis, not financial advice. Do your own research.

Understand crypto. Decide for yourself.

The numbers that moved, and the reason they did, every Sunday, free.

Free · Independent · Unsubscribe anytime · Privacy