South Korea’s privacy regulator sanctioned Bithumb over cross-border personal data transfers, imposing a 210 million won ($136,200) fine and ordering the crypto exchange to fix its handling of overseas data flows.
The Personal Information Protection Commission said in a June 25 press release that it approved the penalty during its 12th plenary meeting on June 24 after finding that Bithumb violated provisions of the Personal Information Protection Act governing overseas transfers of personal information.
The watchdog said Bithumb must secure a valid legal basis for overseas transfers and clearly disclose the practice in its privacy policy.
Regulator flags data transfers behind order book sharing
The investigation was launched after South Korea’s 2025 National Assembly audit raised concerns about whether Bithumb’s order book sharing with overseas virtual asset exchanges met privacy requirements.
According to the regulator, Bithumb shared order book data in the USDT market from September to November 2025 through a partnership structure that allowed exchanges to share buy and sell order information so trades could be matched across platforms.
While Bithumb obtained separate user consent on the basis that personal data would be transferred to “Stellar exchange,” the commission said member numbers and order details were instead sent to a system operated by another exchange, “bingx.com.”
AML obligations face cross-border privacy rules
The commission also found problems in Bithumb’s handling of personal data during virtual asset transfers to 13 overseas exchanges.
Bithumb provided sender and recipient information for anti-money laundering purposes, including names, wallet addresses and, in one case, dates of birth used to check whether the sender and recipient were the same person.
The regulator said some sharing of personal information may be necessary when virtual assets move between exchanges for AML compliance.
However, it said cross-border transfers are closely tied to users’ right to control their own personal information and must follow the requirements and procedures set out under privacy law.
The penalty includes 120 million won ($77,800) for violations tied to order book sharing and 90 million won ($58,400) for violations related to virtual asset transfers.
Blockchain rules target traceability risks
Alongside the Bithumb decision, the commission released a “Blockchain Service Personal Information Protection Guideline,” pointing to risks created by blockchain’s transparency, decentralization and immutability.
The guideline says information that can directly identify a person, including names or resident registration numbers, should not be recorded on-chain. It also calls for encryption, access controls, clear responsibility among participants and deletion methods involving off-chain personal data and additional information such as salt values.
The commission said it would continue responding firmly to privacy law violations while developing standards that balance data protection with safe use of new technologies.
