Bithumb has been fined $136,000 for illegally transferring user data to foreign exchanges.

South Korea's Personal Information Protection Commission (PIPC) has ruled against cryptocurrency exchange Bithumb, ordering it to pay a fine of 210 million won (equivalent to approximately $136,000). The sanctions were imposed for the illegal transfer of users' personal data to foreign companies without obtaining proper consent.
According to investigation materials, violations occurred between September and November 2025. Bithumb transmitted information from the order book for trading pairs with USDT. Notably, the exchange obtained client consent to transfer data to the Stellar platform, but actually sent it to another exchange operated by BingX.
Additionally, the regulator identified violations in cross-border transfers to 13 other foreign exchanges. Bithumb transmitted users' names, dates of birth, and cryptocurrency wallet addresses without obtaining full and explicit consent. The commission demanded that the exchange immediately rectify its data transfer protocols, emphasizing that cross-border movement of personal information requires strict compliance with the law and protection of data subjects' rights.
New Rules for Blockchain Companies
Simultaneously, the PIPC issued special guidelines for blockchain companies. The document takes into account the specifics of the technology: transparency and the impossibility of deleting records. The regulator strongly recommended not to include on-chain data that could identify individuals, such as names or social security numbers.
This case is part of a broader trend of tightening regulation in South Korea. Notably, on June 11, the PIPC imposed a record fine of 624.6 billion won on technology giant Coupang following a massive data leak.
My analysis: This precedent is a serious signal for the entire crypto industry. Bithumb, one of Korea's largest exchanges, was penalized not for a hack, but for violating consent procedures. This shows that regulators will pursue any vulnerabilities in the data processing chain, especially when dealing with foreign counterparties. For crypto exchanges, this means the need for a full audit of all data transfer agreements and the implementation of "consent-by-default" mechanisms for each jurisdiction.