Value context and insight. lkm@koreatimes.co.kr
Gov't moves to strengthen crypto exchanges' liability after Upbit hacking
An Upbit advertisement installed at a subway station in Seoul / Yonhap
By Lee Kyung-min
The government is seeking to impose bank-level, no-fault compensation rules on crypto exchanges, prompted by a recent breach at Upbit, a crypto exchange operated by Dunamu, and a clear lack of regulatory framework in the country’s digital asset industry, market watchers said Sunday.
The move is a shift to treat major crypto exchanges as rigorously as traditional financial platforms, applying similar scrutiny to compliance, consumer protection standards and the overall regulatory guidelines for Korea’s fast-growing crypto market.
The Financial Services Commission (FSC) is reviewing provisions that would require virtual asset service providers, or crypto exchanges, to compensate users for losses caused by hacking or system failures — regardless of whether the exchange is at fault.
This no-fault standard is currently applied only to financial institutions and electronic payment firms under the law governing electronic financial transactions.
Propelling the move is a Nov. 27 Upbit incident that saw more than 104 billion Solana-based coins totaling about 44.5 billion won ($30.1 million) transferred to external wallets in just 54 minutes.
Despite the breach, the exchange has faced little penalties, since regulators cannot order compensation under the current law.
The FSC’s planned change seeks to make crypto exchanges liable for compensating victims, mirroring the obligations financial entities face in the event of hacking or system failures.
The move also coincides with a slew of recent system failures across the sector.
According to Financial Supervisory Service (FSS) data submitted to lawmakers, the five major crypto exchanges — Upbit, Bithumb, Coinone, Korbit and Gopax — recorded 20 system failures from 2023 through September this year.
More than 900 users were affected, with combined losses of 5 billion won.
Upbit alone accounted for six incidents, with more than 600 victims suffering a combined 3 billion won in losses.
The draft legislation is expected to strengthen requirements, including mandatory IT security infrastructure plans, upgraded standards for systems and personnel, and significantly stronger penalties.
Lawmakers are currently considering a revision that would allow fines of up to 3 percent of annual revenue for hacking incidents at crypto exchanges, the same standard traditional financial institutions are subject to.
Currently, the maximum fine for crypto exchanges is capped at 5 billion won.
Meanwhile, the Upbit breach has also raised concerns about delayed reporting.
The hack was detected around 5 a.m. on Nov. 27, but Upbit failed to report it to the FSS until 10:58 a.m., more than six hours later.
As a result, some ruling party lawmakers raised allegations that the cryptocurrency exchange deliberately withheld the information until after a scheduled merger of Dunamu and Naver Financial concluded at 10:50 a.m.
FSS is looking into the breach, but heavy sanctions are unlikely.
FSS Gov. Lee Chan-jin acknowledged both the seriousness of the incident and the limits of current oversight.
“The hacking is not something we can overlook. However, regulatory oversight clearly has limits in imposing penalties,” he said.