← back to the index
VT-014 Crypto exchange · South Korea 2017

YouBit — Hacked Twice, Bankrupt by Design, Users Paid Seventy-Five Cents on the Dollar

trading-exchangebankruptico-era
Platform
YouBit (fmr. Yapizon)
Est. Losses
~$21M combined (two hacks)
Users Affected
Thousands of Korean retail users
Status
Bankrupt

Summary

YouBit, a South Korean cryptocurrency exchange formerly operating under the name Yapizon, collapsed into bankruptcy on December 19, 2017, after sustaining two separate intrusions in the same calendar year that together stripped approximately 21 percent of its total assets. The April 2017 hack cost the exchange 3,816 bitcoin, valued at approximately $5 million at the time. The December 2017 hack — attributed by South Korean intelligence and independent security researchers to the North Korean state-linked Lazarus Group — removed a further 17 percent of remaining assets, estimated at between $7 million and $16 million in contemporary reporting. Upon filing for bankruptcy, the exchange's parent company, Yapian, announced that users would receive an immediate payment equivalent to 75 percent of their holdings, with the balance subject to the bankruptcy process.

That 25 percent haircut, imposed unilaterally at the moment of failure, was not the end of the controversy. Yapian had obtained a cyber insurance policy from DB Insurance just 20 days before declaring bankruptcy. DB Insurance denied the claim, asserting that Yapian had violated its advance notice obligation — the standard requirement for policyholders to disclose material information that would affect the policy before purchasing it. The insurer's denial was based on the inference that Yapian had known of existing vulnerabilities or risks at the time it took out coverage. Critics argued the insurance was obtained specifically to limit the operator's financial exposure at bankruptcy, a charge Yapian denied.

The exchange briefly re-emerged in 2018 under the Coinbin brand following an acquisition, but that entity also collapsed in February 2019 after its CEO disclosed that a former Youbit executive — identified as a general manager named Lee — had embezzled company funds and deleted private keys controlling wallets holding approximately 100 ETH. Total losses at CoinBin's bankruptcy were placed at $26 million. No criminal conviction of exchange operators in connection with the YouBit bankruptcy proceedings specifically has been confirmed in publicly available reporting; the CoinBin case generated separate embezzlement allegations against the named employee.

Timeline

~2016
Yapizon launches
South Korean cryptocurrency exchange Yapizon opens for trading, offering Bitcoin and altcoin pairs to domestic retail users.
April 22, 2017
First hack
Intruders breach Yapizon's hot wallet systems and remove 3,816 BTC, valued at approximately $5 million at the time. South Korean cybersecurity authorities and US firm AlienVault later attribute the attack to BlueNoroff, the financially motivated sub-unit of North Korea's Lazarus Group.
May 2017
Rebrand to YouBit
Following the April intrusion, Yapizon rebrands as YouBit, a move widely interpreted as an attempt to distance the platform's public identity from the hacked Yapizon name.
December 19, 2017
Second hack
Intruders breach YouBit's systems again, removing an amount equivalent to 17 percent of the exchange's total cryptocurrency holdings. Yapian places this loss at 17.2 billion won (approximately $16 million at then-current rates). BlueNoroff is again suspected.
December 19, 2017
Bankruptcy filed
Within hours of the second hack, Yapian — YouBit's parent operator — files for bankruptcy under South Korean law. The exchange announces that users will receive 75 percent of their holdings immediately, with the remaining 25 percent subject to the bankruptcy resolution process.
Late November / Early December 2017
Insurance policy obtained
Twenty days before the bankruptcy filing, Yapian purchases a DB Cyber Comprehensive Liability Insurance policy from DB Insurance, one of South Korea's largest property-and-casualty insurers.
January–February 2018
Insurance claim denied
DB Insurance rejects Yapian's claim of KRW 3 billion (~$2.65 million), asserting that Yapian violated its advance notice obligation by failing to disclose material information about the exchange's security posture before purchasing the policy. Yapian disputes the denial.
2018
CoinBin acquires YouBit
A new entity, CoinBin, acquires the YouBit exchange and relaunches operations in South Korea. The former Youbit executive known as Lee remains involved in a managerial capacity, with oversight of coin deposit and withdrawal systems.
October 21, 2018
Internal key deletion
CoinBin's general manager Lee, former Youbit CEO, deletes the private keys for wallets holding approximately 520 BTC (~KRW 2.2 billion) and fails to disclose access to a wallet containing 101.26 ETH. CoinBin later identifies the total missing amount as 29.3 billion won (~$26 million).
February 20, 2019
CoinBin files for bankruptcy
CEO Park Chan-kyu announces the bankruptcy, citing Lee's embezzlement as the cause. The collapse of the CoinBin successor brings total aggregate losses from the YouBit/CoinBin enterprise over two years to figures well above any single-event estimate.

From Yapizon to YouBit: A Platform Built on Concealed Damage

The exchange that became YouBit entered 2017 as a functioning but undistinguished South Korean retail trading platform. The April 2017 breach was not small: 3,816 bitcoin represented a significant fraction of a mid-tier exchange's total holdings. Yapizon's management chose not to close the exchange or return funds to users proportionally — instead, it continued operating while the platform absorbed the loss. The rebrand to YouBit followed shortly after, resetting the public-facing identity without any corresponding reset of the underlying financial damage.

This operational continuity after a major hack is significant. Users who deposited funds into YouBit after May 2017 did so on a platform that had already been materially compromised and had not publicly accounted for the full extent of that compromise. The balance-sheet effect of absorbing a 3,816-bitcoin loss while continuing normal operations depended on the exchange holding reserves adequate to cover both its outstanding user liabilities and the new deficit — a condition that would have required independent verification to confirm and that no regulatory authority required YouBit to demonstrate.

South Korean cybersecurity investigators and the US firm AlienVault attributed the April attack to BlueNoroff, the revenue-generating division of North Korea's Lazarus Group. BlueNoroff's targeting of South Korean cryptocurrency exchanges in 2017 was part of a documented campaign that included attacks on multiple platforms in the same year. The attribution was stated with high confidence by South Korean intelligence services. The December attack on YouBit drew the same attribution.

The Mechanics of Strategic Bankruptcy

When the December 2017 hack struck, YouBit and its parent Yapian made two decisions in rapid sequence: file for bankruptcy and cap immediate user payouts at 75 percent of holdings. The framing — that bankruptcy was the only available response to a 17-percent asset loss — was contested from the start. A 17-percent loss is material but not arithmetically insurmountable for an exchange with adequate reserves; the decision to treat it as a terminal event raised questions about the platform's actual financial cushion before the hack.

The bankruptcy filing's timing produced a specific legal outcome: it converted what would have been an exchange's obligation to make users whole into a proportional bankruptcy claim, immediately reducing every depositor's position by 25 percent. The remaining 25 percent was subordinated to the bankruptcy process, with no certainty of recovery or timeline. Critics characterised this sequence as converting a platform's liability into a court-managed partial payment schedule — a characterisation the operator denied.

The insurance policy obtained 20 days before the filing added a second layer of scrutiny. Obtaining comprehensive cyber liability coverage on the eve of a bankruptcy triggered by a cyber event is a pattern that insurers explicitly guard against through advance notice obligations. DB Insurance's denial on those grounds — rather than on the substance of whether a hack occurred — reflected the insurer's assessment that material information had been withheld at policy inception. Whether that withholding was deliberate or procedural was not resolved publicly. The effect was that the insurance mechanism, ostensibly available to contribute to user recovery, produced nothing.

CoinBin and the Successor Collapse

The YouBit story did not end with the December 2017 bankruptcy. In 2018, a new entity named CoinBin acquired the exchange and returned it to operation. The acquisition placed a former YouBit executive — identified in CoinBin's bankruptcy announcement as general manager Lee, previously YouBit's CEO — in operational authority over coin balances and withdrawal systems.

In October 2018, Lee deleted the private keys to wallets holding 520 BTC and obscured access to a wallet containing 101.26 ETH, according to CoinBin's CEO Park Chan-kyu. CoinBin announced total missing funds of KRW 29.3 billion ($26 million) and filed for bankruptcy in February 2019. Whether the losses were entirely attributable to October 2018 events or reflected accumulated undisclosed deficits from the YouBit period was not clarified in public statements.

The CoinBin collapse extended user losses into a second cycle. The sequence — April 2017 hack, rebrand, December 2017 hack, bankruptcy, acquisition, 2019 successor collapse — produced compounding losses across two and a half years, with each stage reducing recovery prospects for those who remained.

The Five Factors

01
Operational continuity after a material compromise
After losing 3,816 bitcoin in April 2017, Yapizon/YouBit continued accepting deposits and operating normally for eight months without any public accounting of how the loss affected its reserve position. This is the core custody failure: users who deposited after April 2017 placed funds on a platform whose actual balance sheet had been materially altered, with no regulatory requirement to disclose that change.
02
Bankruptcy as liability-conversion mechanism
Filing for bankruptcy in response to a 17-percent asset loss — rather than attempting operational resolution — converted user claims from exchange obligations into bankruptcy-proceeding receivables, immediately imposing a 25-percent haircut. The legal mechanism available to legitimate insolvent businesses can function as a loss-limitation tool when deployed by custodial platforms against their own depositors; the distinction between genuine insolvency and strategic insolvency is difficult to establish without independent pre-bankruptcy audits.
03
Pre-bankruptcy insurance acquisition
Purchasing a cyber insurance policy within three weeks of a bankruptcy filing triggered by a cyber event signals a level of advance knowledge about the pending loss that violates standard insurance disclosure requirements. Whether the policy was obtained to limit operator losses, to provide a recovery mechanism, or simply as a belated compliance measure was never established. The insurer's denial on advance-notice grounds effectively placed the liability back on users.
04
Successor entity risk inheritance
CoinBin's acquisition of YouBit transferred not only the platform's assets but also its personnel, including executives whose tenure at the failing entity should have invited heightened scrutiny. Placing a former YouBit CEO in charge of coin balances and withdrawal systems at the successor exchange created the conditions for the 2019 CoinBin collapse. Acquisitions of failed exchanges carry embedded risks that are not resolved by rebranding.
05
State-actor threat unaddressed by industry structure
The attribution of both YouBit hacks to the North Korean Lazarus Group places this case in a distinct risk category: exchange operators defending against nation-state adversaries face a threat level that retail-grade security infrastructure cannot reliably address. South Korean exchanges in 2017 operated without mandatory security standards, independent security audits, or regulatory requirements for cold storage ratios — leaving them structurally vulnerable to adversaries far better resourced than typical criminal hackers.

Aftermath

The YouBit bankruptcy in December 2017 was the first declared bankruptcy of a cryptocurrency exchange in South Korea. Korean courts processed the Yapian proceeding, but no criminal conviction of the exchange's operators in connection with the bankruptcy has been confirmed in available public reporting. The DB Insurance dispute added civil litigation without producing documented user compensation.

The CoinBin collapse in February 2019 generated embezzlement allegations against the former Youbit executive identified as Lee. Whether criminal charges were filed and prosecuted was not confirmed in available reporting at the time of this dossier.

The YouBit case contributed directly to South Korean regulatory reform. The Korean government subsequently implemented a licensing framework for virtual asset service providers and required exchanges to maintain substantial fractions of user funds in cold storage — controls that were not in force at the time of either hack.

Lessons

  1. An exchange that absorbs a significant hack and continues operating without publicly accounting for its reserve position is presenting users with a misleading picture of its financial stability; depositors who add funds after a disclosed or undisclosed loss are assuming risks they cannot quantify.
  2. Bankruptcy as a response to an asset loss should be evaluated against the operator's pre-event reserve position; an exchange with adequate reserves should be able to absorb losses short of total asset value, and a filing that immediately imposes a haircut on all users warrants scrutiny of what that reserve position actually was.
  3. Obtaining comprehensive liability insurance within days or weeks of a bankruptcy filing, where the bankruptcy is attributed to the exact insured risk, is a pattern that regulators and forensic accountants should treat as a material discrepancy requiring investigation.
  4. Regulatory requirements for mandatory cold storage ratios, independent security audits, and capital adequacy testing are the operational controls that distinguish exchanges capable of absorbing intrusions from those that collapse at the first or second significant loss.
  5. Rebranding a failed or hacked exchange and continuing operations without a full independent audit of the platform's financial and security posture transfers the predecessor entity's risks to new depositors who have no means of assessing them.

References