TLDR
-
Bithumb fined 210 million won over overseas user data transfers.
-
PIPC says Bithumb sent data to a platform users had not approved.
-
The exchange must fix its cross-border personal data process.
-
Transfers to 13 foreign exchanges added further privacy breaches.
-
New blockchain privacy rules add pressure on South Korean exchanges.
South Korea’s privacy regulator fined Bithumb 210 million won for transferring user data overseas without proper consent. The penalty equals about $136,000 and includes a corrective order covering future cross-border transfers. The case expands regulatory pressure on the exchange beyond anti-money laundering controls.
Bithumb Order-Book Transfers Breached Consent Rules
The Personal Information Protection Commission approved the sanction during its plenary meeting on June 24. Its review covered order-book sharing and virtual asset transfers involving overseas platforms. The regulator found that Bithumb failed to meet requirements under South Korea’s privacy law.
The exchange shared its Tether market order book with foreign platforms between September and November 2025. Users had approved data transfers involving Stellar exchange, but another platform operated the receiving system. The commission identified that platform as BingX and found that the actual recipient differed from the approved party.
The transferred records included member numbers and order details linked to trading activity. Therefore, the regulator treated the arrangement as an overseas personal information transfer. Bithumb did not secure valid consent covering the platform that received the information.
Transfers to Overseas Exchanges Added Further Violations
The commission also examined virtual asset transfers between Bithumb and 13 foreign exchanges. Those transfers included sender and recipient names, wallet addresses, and some dates of birth. The exchange provided that information while conducting anti-money laundering checks.
The regulator accepted that exchanges may need personal data for compliance checks. However, companies must still follow consent and notice procedures before sending information abroad. Bithumb failed to complete those procedures for several overseas transfer arrangements.
The corrective order requires the exchange to revise its cross-border data process. It must verify recipients and obtain clear consent before making future transfers. Bithumb must also explain overseas transfers accurately within its personal information policy.
Privacy Rules Add to Wider Crypto Oversight
The decision follows earlier regulatory action against Bithumb over anti-money laundering failures. South Korean authorities previously imposed a 36.8 billion won penalty for customer and transaction control breaches. Those findings included transfers involving unregistered overseas virtual asset service providers.
South Korea has also widened scrutiny of overseas crypto activity through reporting and tax cooperation plans. Proposed rules could increase suspicious transaction reports connected to foreign transfers. Authorities also plan to share crypto transaction data under the OECD reporting framework.
Alongside the sanction, the commission released privacy guidelines for blockchain service providers. The guidance addresses public records, participant data sharing, tracking risks, and information deletion. It also advises companies against recording names and national identification numbers directly on blockchain networks.
The regulator expects blockchain firms to include privacy controls during product planning and system development. It also plans strict enforcement when companies breach personal information protection requirements. The Bithumb case places user consent beside AML and tax reporting within South Korea’s crypto oversight.
