South Korea’s Personal Information Protection Commission has ordered Bithumb to pay 210 million won, or about $136,000, for breaching overseas personal information transfer rules.
Summary
- Bithumb’s privacy fine adds fresh pressure as Korean regulators tighten checks on overseas exchange transfers.
- The case shows order-book sharing can trigger data rules when member details move abroad without consent.
- New blockchain privacy guidelines warn firms to limit identifiable data recorded on public ledgers directly.
The regulator also issued a corrective order requiring the exchange to meet legal standards before sending user data abroad.
The decision followed the commission’s 12th plenary meeting on June 24. The PIPC said Bithumb moved personal information overseas during order-book sharing and virtual asset transfers without meeting all requirements under the Personal Information Protection Act.
Bithumb order-book sharing drew scrutiny
The case began after questions were raised during a 2025 parliamentary audit about Bithumb’s order-book sharing with overseas exchanges. Order-book sharing allows exchanges to share buy and sell orders so trades can match across platforms.
The PIPC found that Bithumb shared its Tether USDT market order book with overseas exchanges from September to November 2025. Users had consented to an overseas transfer involving Stellar exchange, but the regulator said member numbers and order information were actually sent to a system operated by another exchange, bingx.com.
The finding shows how liquidity partnerships can become privacy cases when user identifiers and order data move across borders. The issue was not only that data left South Korea, but that the recipient differed from what users had approved.
Transfers to 13 exchanges added breach
The regulator also reviewed Bithumb’s virtual asset transfers to 13 overseas exchanges. It found that Bithumb provided sender and recipient data, including names, wallet addresses, and in one case dates of birth, for anti-money laundering checks.
The PIPC said personal information may be needed for AML purposes during virtual asset transfers. However, it said cross-border transfers remain closely tied to a user’s right to control personal data. The regulator said firms must follow the law’s consent and notice procedures.
“The cross-border transfer of personal information is a matter closely related to the data subject’s right to self-determination,” the commission said, according to the report.
It said exchanges must strictly comply with the procedures required under the Personal Information Protection Act.
The order requires Bithumb to correct its overseas transfer process. The exchange must also explain relevant transfers clearly in its personal information processing policy.
Broader compliance pressure grows
The penalty adds to Bithumb’s regulatory pressure in South Korea. As crypto.news reported, South Korean regulators earlier fined Bithumb 36.8 billion won after finding AML-related violations tied to customer checks, transaction monitoring, and transfers involving unregistered overseas virtual asset service providers.
Previously, crypto.news explored South Korea’s proposed crypto AML rule changes, which could sharply raise suspicious transaction reports linked to overseas transfers. The industry warned that local exchanges could face heavy reporting pressure if all overseas-linked transfers above 10 million won require automatic flags.
In a previous article, crypto.news discussed South Korea’s plan to share crypto transaction data with 48 countries under the OECD Crypto-Asset Reporting Framework. That plan shows how Korean authorities are widening oversight of cross-border crypto activity.
The Bithumb case now places privacy compliance beside AML and tax reporting. Korean exchanges must track user funds, screen overseas platforms, and protect personal information at the same time.
Blockchain privacy guidelines released
Alongside the Bithumb sanction, the PIPC released new guidelines for personal information protection in blockchain services. The regulator said blockchain systems raise special privacy issues because transaction records can be transparent, distributed, and hard to delete.
The guidelines call for controls over on-chain disclosures, tracking risks, participant data sharing, and personal information destruction. The PIPC said firms should consider privacy protection from the planning stage when building blockchain services.
The watchdog said it will continue to respond strictly to violations of the Personal Information Protection Act. It also said it will keep setting standards that balance personal data protection with safe use of new technologies.
For Bithumb, the fine is smaller than its earlier AML penalty, but it points to a broader issue. In South Korea’s crypto market, overseas exchange links now face close checks not only for money laundering risks, but also for user consent and data protection.
