Bithumb Hit With $136K Fine as South Korea Crypto Privacy Rules Get Teeth

South Korea’s push to regulate crypto user data just got sharper teeth. Bithumb, one of the country’s largest cryptocurrency exchanges, has been ordered to pay 210 million won (approximately $136,000) by the Personal Information Protection Commission after regulators found it had transferred user data overseas without meeting all the requirements under the Personal Information Protection Act. The fine comes with a corrective order — meaning Bithumb must overhaul how it handles cross-border data transfers before moving user information abroad again.

Key takeaways

• Bithumb was fined 210 million won ($136,000) for breaching South Korea’s overseas personal information transfer rules.
• The exchange shared its Tether USDT market order book with overseas exchanges between September and November 2025 without full user consent, sending data to BingX rather than the approved Stellar exchange.
• Bithumb also transferred personal data — including names, wallet addresses, and dates of birth — to 13 overseas exchanges for AML compliance checks.
• South Korean regulators had previously fined Bithumb 36.8 billion won for AML-related violations, making this the latest in a pattern of escalating enforcement.
• The Personal Information Protection Commission simultaneously released new blockchain privacy guidelines urging firms to limit identifiable on-chain data from the outset of product design.

Bithumb Penalized for Violating Personal Data Transfer Rules

The decision followed the commission’s 12th plenary meeting on June 24. Regulators determined that Bithumb had moved personal information overseas on two separate fronts — through order-book sharing arrangements and through virtual asset transfers — without satisfying the consent and notice obligations mandated by South Korean law.

Beyond the financial penalty, the corrective order carries real operational weight. Bithumb must fix its overseas transfer procedures and make those processes clearly visible in its personal information processing policy. It is not just a fine for past conduct; it is a directive to restructure compliance going forward.

What the Breach Actually Involved

The case traces back to questions raised during a 2025 parliamentary audit about how Bithumb was sharing order-book data with overseas platforms. Order-book sharing is a common liquidity mechanism — it lets exchanges pool buy and sell orders so trades can match across different platforms. But when user identifiers and order data cross borders in the process, privacy law follows.

Regulators found that Bithumb shared its Tether USDT market order book with overseas exchanges from September to November 2025. The problem went deeper than the transfer itself: users had consented to data being sent to Stellar exchange, but the data was actually routed to a system operated by bingx.com. The recipient did not match what users had approved.

That distinction matters. South Korean privacy law ties overseas data transfers closely to a user’s right to self-determination over their personal information. Consent given for one platform does not cover another, even if the stated purpose is identical.

Transfers to 13 Exchanges Added a Second Layer of Violations

Regulators also scrutinized Bithumb’s virtual asset transfer practices, uncovering a second category of breach. The exchange had provided sender and recipient data — including names, wallet addresses, and in at least one instance dates of birth — to 13 overseas exchanges as part of anti-money laundering checks.

The commission acknowledged that AML obligations during virtual asset transfers can legitimately require sharing certain personal information. But that necessity does not waive the procedural requirements. Firms still need to follow consent and notice procedures under the Personal Information Protection Act before sending data abroad, regardless of the compliance rationale behind the transfer.

The regulator’s framing was pointed: “The cross-border transfer of personal information is a matter closely related to the data subject’s right to self-determination.” That language signals that regulators are treating privacy rights and AML obligations as parallel obligations, not competing ones where AML takes precedence.

Why This Fine Matters More Than the Dollar Amount Suggests

At $136,000, the penalty is modest compared to Bithumb’s earlier regulatory troubles. South Korean authorities had previously fined the exchange 36.8 billion won — a much heavier blow — tied to AML failures involving customer checks, transaction monitoring, and transfers involving unregistered overseas virtual asset service providers.

But the significance of this latest action is less about the sum and more about what it signals. South Korea is now weaving data privacy enforcement directly into its crypto oversight framework, alongside AML and tax reporting obligations. Korean exchanges must simultaneously track user funds, screen overseas platforms for AML compliance, and protect personal information during every cross-border interaction. The regulatory surface area is expanding fast.

There is also a structural implication for how liquidity partnerships work in practice. The Bithumb case demonstrates that even routine order-book sharing arrangements can become privacy violations if user identifiers move across borders to a platform different from the one users consented to. Exchanges that rely on overseas liquidity partners now have a concrete precedent showing what that exposure looks like under South Korean law.

New Blockchain Privacy Guidelines Raise the Stakes Industry-Wide

The commission did not limit its June 24 session to the Bithumb penalty. Alongside the sanction, it released new guidelines for personal information protection in blockchain services — a move that extends the regulatory signal well beyond one exchange.

The guidelines address what regulators called the special privacy challenges of blockchain systems: transaction records that are transparent, distributed, and difficult or impossible to delete. Among the specific areas covered are controls over on-chain disclosures, risks from transaction tracking, data sharing among participants, and the destruction of personal information.

The commission’s central recommendation is that privacy protection should be built in from the planning stage — not retrofitted after deployment. That principle, sometimes called privacy by design, places the compliance burden on developers and operators before a blockchain product goes live rather than after a regulator comes knocking.

The watchdog added that it will continue responding strictly to violations of the Personal Information Protection Act while working to set standards that balance data protection with the responsible development of new technologies. For an industry that has historically treated on-chain transparency as a feature rather than a liability, that framing represents a meaningful shift in regulatory expectations.

South Korea is also moving on a broader international front. Plans to share crypto transaction data with 48 countries under the OECD Crypto-Asset Reporting Framework show that Korean authorities are building a coordinated, multi-layered oversight system — one where AML checks, tax reporting, and personal data protection increasingly operate as a single compliance challenge for any exchange with overseas connections.

FAQ

Why was Bithumb fined by South Korean regulators?

Bithumb was fined for breaching South Korea’s rules on overseas personal information transfer. The exchange shared user data — including order-book information and personal details — with overseas exchanges without obtaining proper user consent, violating the Personal Information Protection Act.

What data did Bithumb share overseas without full consent?

Bithumb shared its Tether USDT market order book with overseas exchanges between September and November 2025, and separately transferred personal user information — including names, wallet addresses, and dates of birth — to 13 overseas exchanges as part of AML compliance checks.

What corrective actions did the regulator require from Bithumb?

Bithumb was ordered to correct its overseas data transfer processes to meet the legal standards required before sending user data abroad. It must also clearly explain those transfer arrangements within its personal information processing policy.

What new guidelines did South Korea’s Personal Information Protection Commission release?

The commission released blockchain privacy guidelines emphasizing controls over on-chain information disclosures, risks from transaction tracking, data sharing among participants, and the challenges of deleting data on distributed ledgers. The guidelines call on firms to incorporate privacy protection from the earliest stages of blockchain service design — a privacy-by-design approach — rather than addressing it reactively after launch.

Article produced with the assistance of artificial intelligence and reviewed by the editorial team.