Bithumb fined $136,000: South Korean regulator reveals massive customer data leak

South Korea's Personal Information Protection Commission (PIPC) has imposed a fine of 210 million won (approximately $136,000) on the cryptocurrency exchange Bithumb. The reason is the illegal transfer of users' personal data to foreign companies without obtaining proper consent.
The regulator's investigation revealed that violations occurred between September and November 2025. Bithumb transmitted order book information for trading pairs with USDT to third parties. Particularly alarming was the fact that the exchange obtained client consent to transfer data to the Stellar platform, but actually sent it to a completely different platform — operated by BingX.
But this is just the tip of the iceberg. The PIPC identified violations in data transfers to 13 other foreign exchanges. Bithumb transmitted names, dates of birth, and cryptocurrency wallet addresses of users without obtaining full and explicit consent for each such operation. The regulator emphasized that the cross-border movement of personal information requires strictest compliance with the law and protection of data subjects' rights.
New Rules for the Blockchain Industry
In response to the incident, the Commission issued special guidelines for blockchain companies. The document takes into account a key feature of the technology: transparency and the impossibility of deleting records. The PIPC recommended not to include on-chain data that could be used for personal identification, such as names or social security numbers.
This case is not an isolated one. Notably, on June 11, the PIPC already imposed a record fine of 624.6 billion won on the technology giant Coupang following a massive data leak. The regulator is clearly tightening control.
My analysis: This precedent demonstrates that the South Korean regulator is focused on creating strict data protection standards in the crypto industry. For exchanges aiming for global expansion, this is a signal: relying on outdated consent protocols is no longer acceptable. Integrating KYC procedures with consideration of cross-border risks is becoming not just a recommendation, but a mandatory condition for survival in the market.