South Korea’s FSC unveils no-nonsense regime in fallout from Bithumb’s $40B accident

South Korea’s Financial Services Commission (FSC) met with the “Big Five” digital asset exchanges, including Upbit, Bithumb, Coinone, Korbit, and Gopax, as well as the Digital Asset Exchange Alliance (DAXA), to lay out new regulations created in response to the Bithumb disaster in February.

In February, a Bithumb employee reportedly made a critical typo when issuing a reward—sending 620,000 Bitcoins to 249 users instead of 620,000 won. The exchange then sent Bitcoin worth about $40 billion to customers, described as roughly 13 times more Bitcoin than Bithumb held at the time.

Findings from the February incident and sanctions review

The FSC said that during its inspections into the February incident, it found “deficiencies in Bithumb’s internal control system.” The commission is currently completing a legal review to determine the specific sanctions to be applied.

Background: prior enforcement against Bithumb

Even before the February incident, Bithumb faced regulatory action. Last month, South Korea’s Financial Intelligence Unit (FIU) imposed a six-month partial business suspension, effective from March 27 to September 26, along with a fine of 36.8 billion won ($24.6 million).

The FIU said the company facilitated 45,772 transactions with unregistered overseas exchanges and failed to properly verify customer IDs.

New monitoring and trading controls

As part of the response to the Bithumb incident, the FSC announced a comprehensive overhaul of monitoring systems, with strict new rules taking effect immediately.

Previously, three of the five major exchanges checked balances only once every 24 hours. Under the new rules, each exchange must reconcile its records with its actual crypto wallets every five minutes.

If the system detects a large mismatch during these five-minute checks, it must automatically halt trading. In addition, instead of quarterly audits, accounting firms must audit balances every month and report the quantity of assets held in each wallet.

Account separation, payout verification, and governance requirements

The FSC also directed that high-risk transaction accounts be separated. For any manual payout, a “third-party cross-check” is required, meaning two people or systems must verify the payment. Depending on the payout amount, multi-level authorization may be required.

The FSC said self-regulation in the crypto industry has been weak. Exchanges are now required to appoint a Risk Management Officer and form a Risk Management Committee. Inspections for violations will occur every six months rather than once a year, and results must be reported to the government.

Strengthening VASP registration and transaction monitoring

The FSC also proposed changes aimed at strengthening the registration of VASPs. One example is the “Travel Rule,” which previously applied only to transactions over 1 million won. Under the updated approach, monitoring will cover every transaction regardless of size to help prevent money laundering.

To obtain a license, VASPs must maintain a debt ratio below 200%, must not have been in default for three years, and major shareholders must pass a strict credibility test. The FSC and DAXA plan to finalize these rule changes by the end of April.