Image Credit: Shutterstock
Key Takeaways
- Bithumb was fined 210 million won for sharing user data with overseas platforms without proper consent under South Korea’s data protection law.
- The PIPC cleared rival exchange Upbit in a parallel investigation, finding its data transfer procedures compliant.
- New PIPC blockchain privacy guidelines warn firms to keep personal data off public ledgers and verify actual data destinations before any cross-border transfer.
South Korea’s data protection regulator fined crypto exchange Bithumb 210 million won (approximately $136,000) for sharing user data with overseas platforms without proper consent, following a multi-month investigation that began after questions were raised at a 2025 parliamentary audit. The Personal Information Protection Commission announced the penalty at its 12th plenary session on June 24 and issued a corrective order alongside new privacy guidance for the broader blockchain industry.
What the Investigation Found
The violations centered on Bithumb’s USDT market order book sharing between September and November 2025. The PIPC determined that Bithumb shared member IDs and order data with overseas platforms without meeting the consent and notice requirements under South Korea’s Personal Information Protection Act.
The clearest breach involved a destination mismatch. Bithumb told users their data would be transferred to Stellar, an Australian crypto exchange. Investigators found the information actually went to a platform operated by BingX, a separate entity. That discrepancy violated the act’s requirement that users receive accurate notice of where their personal data will be sent before any transfer takes place.
A second set of violations involved transfers to 13 other overseas exchanges. During those transactions, Bithumb shared customer names, wallet addresses, and in some cases dates of birth for anti-money laundering checks without obtaining complete consent under Korean law. The PIPC acknowledged that personal data may be required for AML purposes during virtual asset transfers but said that does not exempt exchanges from following consent procedures.
Bithumb’s Broader Regulatory Exposure
Bithumb is already carrying a separate, much larger penalty from earlier in 2026. South Korea’s Financial Intelligence Unit fined the exchange 36.8 billion won (approximately $24.6 million) in March for anti-money laundering and know-your-customer violations involving roughly 6.65 million individual compliance failures.
The PIPC investigated Upbit simultaneously over similar order book sharing practices. The commission cleared Upbit, finding its data transfer procedures complied with the Personal Information Protection Act, while determining Bithumb’s did not.
PIPC Tells Blockchain Firms to Keep Personal Data Off Public Ledgers
The PIPC released new privacy guidelines for blockchain firms alongside the Bithumb decision. The guidance addresses the tension between public ledger transparency and personal data protection obligations.
The core instruction is that firms should avoid recording personally identifiable information directly on public blockchains. Names, national identification numbers, and similar data should remain off-chain wherever technically feasible. For cross-border transfers, the commission said firms must verify the actual destination of user data rather than relying on intermediaries, and must disclose that destination to users before any transfer occurs.
The PIPC also said it will continue strict enforcement of the Personal Information Protection Act while working to set standards that balance data protection with the operational realities of blockchain services. Amendments to the act due to take effect in September 2026 would substantially increase maximum penalties, potentially reaching 10% of annual revenue for serious violations and introducing direct personal liability for executives.
