South Korean regulator penalizes Bithumb for data leak: $136,000 fine and new rules for crypto exchanges
South Korea's Personal Information Protection Commission (PIPC) has imposed a fine of 210 million won, equivalent to approximately $136,000, on the cryptocurrency exchange Bithumb. The reason is the illegal transfer of users' personal data to overseas platforms without obtaining proper consent.
My analysis shows that this is not just a routine violation, but a systemic problem in data processing procedures. The leak occurred between September and November 2025, when Bithumb transmitted order books for the Tether (USDT) trading pair abroad. The regulator determined that the exchange violated the established protocol for cross-border information transfer, which is a serious signal for the entire industry.
Two key violations in the Bithumb case
First violation: Bithumb obtained user consent to transfer data to the Stellar exchange, but the information was actually sent to a platform operated by BingX. Thus, the final recipient did not match the one for which users had given permission.
Second violation: when conducting transfers with 13 foreign exchanges, Bithumb transmitted users' names, wallet addresses, and dates of birth without obtaining their full and informed consent.
The PIPC did not limit itself to a fine — the regulator ordered Bithumb to completely review and correct its data transfer protocol abroad. The commission's statement emphasizes that cross-border transfer of personal information is closely related to the human right to self-determination and requires strict compliance with the Personal Information Protection Act.
New regulatory direction for blockchain companies
Simultaneously with the decision on Bithumb, the PIPC published a separate information protection guide for blockchain companies. The document takes into account the technology's features — its transparency, distributed structure, and immutability of records.
Key requirement: information that can identify a person should not be recorded on the blockchain. The regulator classified, among others, names and social security numbers as such data. This is a direct indication that anonymity in public ledgers should be a priority.
Expert comment from Cryptalist: This decision is a precedent that will set the tone for the entire Asian crypto industry. South Korea is demonstrating that the era of irresponsible handling of user data is over. Exchanges that do not integrate strict consent and recipient verification mechanisms risk not only fines but also losing their licenses. The market is moving toward standards where data protection becomes as fundamental a requirement as liquidity.