South Korea's tightening grip on its crypto industry now extends to how exchanges handle their users' data.

What the regulator found

The Personal Information Protection Commission (PIPC) — the independent body that enforces South Korea's Personal Information Protection Act — fined Bithumb roughly 190 million won, about $136,000, after finding it transferred users' personal data to overseas crypto exchanges without obtaining the separate consent that the law requires for cross-border transfers, Cointelegraph reported. The regulator also issued corrective orders.

At the center of the case was order-book sharing. Between September and November 2025, Bithumb shared stablecoin (USDT) order-book data, and the user information tied to it, with the Singapore-based exchange BingX — but the consent users had given covered a different counterparty, not BingX. Korean law treats sending personal data abroad as a distinct, higher-risk category: a company must get consent specifically for that transfer, naming the recipient, destination and purpose, on top of the general consent collected when an account is opened. Bithumb, the PIPC found, did not.

A plain-English point

The issue is not that Bithumb was hacked or that funds were lost. It is a data-protection failure: personal information was routed to a foreign company without users agreeing to that specific handoff. Regulators worldwide increasingly treat the safeguarding of customer data as a core obligation for platforms that, like exchanges, hold sensitive financial and identity details on millions of people.

A rough stretch for Bithumb

The fine adds to a difficult run. Bithumb, which vies with Upbit for the top spot among South Korean exchanges by volume, was hit earlier in 2026 with a separate, far larger penalty from financial regulators over alleged anti-money-laundering failings — a fine and a temporary partial business suspension that a court later paused, according to Cointelegraph. The exchange has also contended with an internal-controls scare and has pushed back plans for a stock-market listing while it strengthens its compliance and accounting systems. Boursel could independently confirm the data-privacy fine through Cointelegraph's report; some of the surrounding regulatory history is drawn from the same outlet's prior coverage.

Why it matters

The dollar amount is small next to Bithumb's scale, but the signal is not. South Korea has been steadily expanding oversight of digital assets since the 2022 collapse of TerraUSD and the rollout of its Virtual Asset User Protection Act. This action shows that oversight now runs through the country's mainstream privacy regime as well as its financial rules — meaning exchanges answer not only to financial regulators on money-laundering and licensing, but to a data watchdog on how they move customer information across borders. For a global industry that routinely shares order and customer data between platforms, that is a compliance area likely to draw more scrutiny, not less.