Key Insights:
- Bithumb has been fined 210 million EUR for its breach of overseas data transfer regulations by South Korea.
- Regulators found customer data was sent to entities not covered by user consent.
- New blockchain privacy guidelines signal tighter compliance expectations for crypto firms.
Bithumb has been fined 210 million won, or about $136,000, by South Korea’s Personal Information Protection Commission after regulators found violations involving overseas transfers of user data. The decision adds a new compliance challenge for crypto exchanges as authorities expand oversight beyond anti-money laundering controls and focus more closely on privacy protection.
The commission announced the sanction following its 12th plenary meeting on June 24. In addition to the financial penalty, regulators ordered Bithumb to strengthen its procedures for handling cross-border transfers of personal information. It’s a move that indicates South Korea is looking to up the ante on the way crypto platforms handle user information with foreign partners.
The parliamentary audit sparked the investigation
Questions arose during an audit conducted in 2025 by the parliament regarding the sharing of order books by Bithumb with foreign exchanges. Order-book sharing enables trading platforms to merge the buy and sell orders, thereby enhancing the market’s liquidity and execution efficiency.

There was a concern that customer information was flowing through these partnerships and that led to a regulatory review. Their investigation focused on overseas transfers linked to trading activity and virtual asset transactions.
Order-book sharing became the center of the case
According to the commission, Bithumb shared information from its Tether USDT market order book with overseas exchanges between September and November 2025. While users had agreed to the transfer of information to Stellar Exchange, regulators found that data was actually transmitted to a system operated by BingX.
Authorities said the problem extended beyond the transfer itself. The recipient differed from the entity named in the customer consent process, creating a violation under South Korea’s Personal Information Protection Act.
The findings show how liquidity partnerships can create privacy risks when customer identifiers and trading information cross borders. Regulators emphasized that user consent must accurately reflect where information is being sent.
Transfers to overseas exchanges expanded regulatory concerns
The commission also examined virtual asset transfers involving 13 overseas exchanges. During that review, authorities found that customer information had been shared for anti-money laundering checks.
The transferred data included names, wallet addresses, and in one instance a user’s date of birth. Regulators acknowledged that certain information may be necessary for AML compliance. They did say, however, that companies still need to abide by legal obligations relating to customer consent and notification.
The commission says that the right to control personal information is linked closely to cross-border transfers of personal information. Therefore, exchanges will have to adhere to specified procedures prior to the transmission of any information regarding customers to foreign countries.
The regulator asked Bithumb to make amendments to its overseas transfer procedures, as well as to enhance disclosures in its privacy policy.
New blockchain privacy standards increase expectations.
In addition to the sanction, the commission issued new regulations on protection of personal information in blockchain services. This guidance covers privacy issues arising from TLDS.
It highlights challenges like on-chain disclosure, participant data sharing, risk tracking, and the management of personal data that could be hard to delete from blockchain networks. The regulators also urged firms to think about privacy safeguards when creating blockchain products.
The commission also advised that personally identifiable information be not stored on-chain “if at all possible. These measures are part of a wider trend of aligning technological advancements with data protection needs.
Rising regulatory pressure around the crypto markets keeps on expanding
The new move comes as a fresh blow in the regulatory crackdowns against Bithumb and the crypto industry. The South Korean regulators have previously subjected the entities to stiff punishment for AML failings in customer due diligence, transaction monitoring and dealing with foreign virtual asset service providers that are not registered.
Meanwhile, regulators are still toughening up their oversight of foreign crypto trading and exchanges via reporting programs and sharing. Authorities are also readying themselves for the exchange of crypto transaction details with dozens of nations under the OECD Crypto-Asset Reporting Framework.
Crypto exchanges have to comply with a much more extensive set of requirements than financial monitoring. For example, the Bithumb case illustrates the same level of scrutiny as the AML and tax reporting requirements are faced.
Conclusion
Although the fines imposed on Bithumb may be less than the ones imposed in the past, their impact is far greater than a mere number. The South Korean security authorities have stated that compliance with privacy has become a part of the crypto regulation.
With the increasing number and scale of international partnerships and the growth of liquidity networks on exchanges, regulators are likely to be increasingly concerned with the consent, transparency and protection of personal data in all international transfers.









