Upbit hacker slips through Railgun checks to mix stolen funds after $36M exploit

The Upbit hacker may be using Railgun to mix funds. Despite the mixer’s checks, the hacker addresses were not flagged, and the transactions were allowed to continue. 

On-chain analysis showed addresses linked to the Upbit hack used the Railgun mixer. The mixer performs a zero-knowledge check for the origin of funds. This time, however, the check did not prevent the funds from being mixed. 

Upbit was hacked for over $36M, with over $30M in Solana assets. The multi-chain attack led to immediate swaps and movements of funds between wallets. 

The hacker sold most assets almost immediately, especially Solana-based tokens. On-chain investigator @dethective noted the selling had an effect on decentralized market volumes. The day after the hack, the exploiter’s wallets swapped Solana tokens into SOL. After that, the SOL was traded for USDC, and the stablecoins were bridged to Ethereum for mixing. 

In total, the hacker held over 533 ETH after fees, valued at around $1.6M. The shift to Ethereum and subsequent mixing is a pattern usually ascribed to North Korean hackers. 

Upbit also added new information on its hack. According to a statement from the exchange, the exploit may be due to a flaw in the exchange’s internal system, which has been patched. Upbit stated that the hacker may have inferred private keys from publicly available hot wallets due to predictable key hashing and weak cryptography.

Railgun lacked the latest information on the hackers’ wallets

Railgun’s approach is to test each user’s wallets against constantly updated databases for bad actors. In this case, the hacker’s full list of addresses was very recent. Additionally, the exploit went through multiple direct DEX swaps and some of the funds were shifted to new wallets. The data available to Railgun was therefore outdated, and the hacker’s latest wallet passed the test. 

The last intercepted wallet laundered a total of 410 ETH. The new address was created just hours after the hack, and briefly used as an intermediary. The rapid change in wallets additionally avoided Railgun’s filters.  

Railgun used for DeFi activity

Railgun gained popularity during the recent revival of the privacy narrative. Railgun grew its asset pool, with $95M in value locked as of November 2025. The increased value signals a growing interest, as the mixer achieved $1.31M in fees for Q3. 

The usage of mixers grew in the past year. Tornado Cash, previously seeing only baseline activity, increased its value locked to a new peak. The mixer holds over 32K ETH, following multiple high-profile exploits. 

The native RAIL token also rose by over 200% for the past three months, trading at $3.26. Railgun reflected the success of ZCash and other privacy tokens, while also being promoted by Vitalik Buterin. 

Railgun is not a go-to tool for hackers and exploiters. Rather, it has been a general privacy tool for regular transactions. Crypto influencers and high-profile individuals aim for privacy, as even transaction data can lead to tracking or even price swings. 

However, Railgun usage can also be tracked. Additionally, hacker addresses can use tools to test which wallets would be flagged by Railgun. This would allow hackers to keep hiding the proceeds of exploits, most of which are untraceable. 

If you're reading this, you’re already ahead. Stay there with our newsletter.