South Korea's top financial watchdog has begun formal sanctions proceedings against Dunamu, the operator of crypto exchange Upbit, over a $36 million wallet breach that exposed gaps in the country's digital asset law.
South Korea's Financial Supervisory Service sent an inspection opinion letter to Dunamu, initiating sanctions over a $36 million hot wallet hack in November 2025, Yonhap News reported Sunday. The letter marks the formal start of a sanctions procedure and gives Dunamu an opportunity to respond before the regulator notifies the company of its proposed penalties.
"The inspection opinion letter is the first step in a formal sanctions process," a person familiar with the matter told Yonhap News. The FSS is reviewing whether Dunamu violated the Virtual Asset User Protection Act, which governs digital asset platforms in South Korea.
The breach lasted 54 minutes starting at 4:42 a.m. KST on Nov. 27, 2025, but Upbit delayed its public disclosure until after a merger-related event with internet giant Naver Financial concluded that day. The exchange later reimbursed affected customers using its own balance sheet and launched an onchain tracking system for fund recovery.
The case tests the limits of South Korea's Virtual Asset User Protection Act, which lacks explicit sanctions provisions for hacking or computer system failures. Authorities plan to address the gap in the second phase of the Digital Asset Basic Act, adding sanctions and compensation provisions for cyberattacks.
The FSS spent seven months investigating the breach before issuing the opinion letter. A sanctions review committee will weigh the findings, followed by the Securities and Futures Commission and the Financial Services Commission, before any penalties are imposed.
This isn't the first regulatory action against Dunamu. The company was already facing a proposed 35.2 billion won ($25 million) fine for anti-money laundering violations uncovered separately from the hacking investigation. Regulators imposed a suspension on new customer transfers in February 2025, though a court partially overturned that suspension in April 2026.
Legal gray zone leaves sanctions uncertain
The Virtual Asset User Protection Act gives regulators powers over custody, unfair trading and customer protection, but does not set direct penalties for hacking or computer system failures. That ambiguity leaves the scope of potential penalties wide open.
If regulators successfully impose meaningful sanctions under a statute that doesn't explicitly address hacking, it would signal that South Korean authorities intend to interpret their powers broadly. Conversely, if the legal ambiguity limits the FSS's ability to act, it could expose a significant gap in the country's crypto regulatory framework — one that affects all exchanges operating in the jurisdiction.
Upbit's response and market position
Upbit froze approximately 2.3 billion won ($1.5 million) worth of funds after the exploit and overhauled its wallet architecture, migrating all assets from affected wallets. In December 2025, the exchange developed an automatic onchain tracking service, the Onchain AI Tracer System, to track stolen funds and aid recovery efforts.
Upbit ranks third in CoinMarketCap's crypto spot exchange rankings by traffic, liquidity and trading volumes. The sanctions process comes as Dunamu works through a planned share swap with Naver Financial, with completion delayed to Dec. 31 pending several outstanding regulatory approvals.
This article is for informational purposes only and does not constitute investment advice.