South Korea’s leading privacy watchdog, the Personal Information Protection Commission (PIPC), has hit major domestic cryptocurrency exchange Bithumb with a 210 million Korean won ($136,000) administrative penalty. The regulatory sanction follows a comprehensive investigation into how the platform managed sensitive user credentials during international liquidity and compliance operations.
The enforcement action resolves a probe that initially sparked during a 2025 parliamentary audit regarding the legality of local exchanges sharing order books internationally. According to the PIPC’s final determination, Bithumb committed two distinct violations of the country’s strict Personal Information Protection Act, fracturing its users’ right to informational self-determination.
Anatomy of the Data Violations
The financial penalty was split across two operational failures, highlighting a severe disconnect between Bithumb’s consumer-facing consent checkmarks and its actual back-end data routing infrastructure:
Order Book Diversion (120 Million Won Fine)
Between September and November 2025, Bithumb integrated its Tether (USDT) market order books with international platforms to deepen local liquidity pools. While Bithumb properly prompted users for explicit, separate consent to transmit their transaction data to the Stellar exchange, a technical and structural mismatch occurred. The PIPC discovered that unique user membership numbers and granular order details were instead transmitted directly to systems operated by a completely different exchange, BingX.
AML Data Omission (90 Million Won Fine)
The second violation involved Bithumb’s execution of international digital asset withdrawals. In an effort to satisfy global Anti-Money Laundering (AML) and Travel Rule frameworks, Bithumb routinely shared the legal names, birth dates, and unique crypto wallet addresses of both originators and beneficiaries with 13 different overseas exchanges. However, the exchange failed to obtain the legally mandated, separate user consent forms required for external cross-border data packet transfers.
New Enforcement Standards for Blockchain Privacy
While the PIPC acknowledged that sharing wallet architecture details is an essential component of combating illicit finance, it firmly ruled that global regulatory duties do not absolve localized exchanges from local privacy laws. Alongside the monetary fine, Bithumb has been hit with an official corrective order forcing an immediate overhaul of its international data-transmission protocols.
Prompted by the Bithumb gaps, the PIPC has formally released a specialized data-protection guideline explicitly tailored for blockchain service architectures. Citing the public, immutable nature of distributed ledgers, the watchdog explicitly ruled that personally identifiable information (PII), such as legal names, residency numbers, and registration details, must remain strictly off-chain to avoid irreversible exposure.
