South Korea’s privacy watchdog has slapped Bithumb with a 210 million won penalty, roughly $136,000, after uncovering that the exchange routed users’ personal data to an overseas platform they never actually approved, as per reports.
The trouble surfaced after lawmakers raised questions during a 2025 parliamentary audit about how Bithumb handles order-book sharing arrangements with foreign exchanges, a practice that lets platforms pool buy and sell orders so trades can match across borders.
Digging into Bithumb’s Tether USDT order-book sharing between September and November 2025, the Personal Information Protection Commission (PIPC) found a mismatch between what users agreed to and what actually happened. Customers had signed off on having their data sent to Stellar exchange, but the PIPC discovered the information, including member numbers and order details, landed instead on a system run by BingX, an entirely different exchange.
That wasn’t the only issue investigators flagged. Looking at Bithumb’s virtual asset transfers across 13 overseas exchanges, the PIPC found the company had handed over names, wallet addresses, and in at least one instance, dates of birth, to support anti-money laundering checks, again without securing complete user consent for those disclosures.
The commission didn’t dispute that AML compliance sometimes requires sharing personal data during virtual asset transfers. But it drew a hard line on consent. “The cross-border transfer of personal information is a matter closely related to the data subject’s right to self-determination, and therefore requires meticulous compliance with the requirements and procedures stipulated in the Personal Information Protection Act,” the commission stated.
As part of the ruling, regulators are requiring Bithumb to fix its overseas data transfer procedures and spell out those transfers more transparently in its privacy policy going forward.
However, this isn’t Bithumb’s first run-in with Korean regulators this year. The exchange previously faced a far steeper 36.8 billion won fine over separate AML failures involving customer verification, transaction monitoring, and dealings with unregistered foreign virtual asset providers.
The PIPC paired the Bithumb penalty with a fresh set of guidelines aimed specifically at blockchain companies, citing the unique privacy risks posed by systems built to be transparent, distributed, and resistant to deletion.
