Global players call for stronger crypto risk controls at Bithumb

A man walks past a Bithumb customer lounge in Seoul, Monday. Yonhap

HONG KONG — Global crypto players called on Bithumb to establish robust internal systems that match traditional finance standards on Tuesday, echoing domestic sentiment that the exchange’s “ghost bitcoin” incident was human error compounded by weak internal controls.

Chandan Gupta, an Indian crypto analyst and trader, said the incident can’t simply be blamed on a single employee error. "In any mature financial system, a single action should never trigger direct payouts of such scale. There should be proper payout caps, multilayer approvals and security checks."

Jimmy Xue, chief operating officer and co-founder of Axis, a quantitative yield protocol, said the incident exposed a “fundamental structural vulnerability" in Bithumb as it operated like unregulated fractional reserve banks, capable of creating phantom assets that exist only on internal ledgers.

On Friday, Bithumb, Korea’s second-largest cryptocurrency exchange, mistakenly distributed 620,000 bitcoins instead of 620,000 won ($426) to 249 winners of its “random box” promotion, after an employee incorrectly entered the payout unit as “BTC” instead of “won.” Bithumb held fewer than 50,000 bitcoins on its own books.

Although Bithumb moved to block trading and withdrawals from the affected accounts once the error was identified, 1,788 bitcoins had already been sold by 86 users, according to financial authorities. Bithumb has since been recovering the bitcoins that were sold.

What caught the market off guard wasn’t the error itself, but the exchange’s poor internal controls, industry officials said. A withdrawal was executed with only a single authorization, while the reward and core custody systems were not segregated. Even worse, there was no reconciliation between actual asset holdings and recorded ledger balances for 20 minutes.

Min Jung, a research associate at Presto Research, noted that while book-entry systems are an industry standard for speed and cost-efficiency, this case shows "how a single operational failure can lead to visible market disruption if safeguards are insufficient."

During the brief interval between distribution and withdrawal, the bitcoin price on the exchange dropped to 81.1 million won — down 17 percent and well below the average price on other platforms.

In response, Korea’s Financial Supervisory Service on Tuesday escalated its on-site review of Bithumb into a formal investigation. The outcome is expected to be reflected in the drafting of the second phase of the country’s digital asset legislation.

A customer checks the price of bitcoin at Bithumb’s customer lounge in Seoul, Friday. Korea Times photo by Shim Hyun-chul

Crypto exchanges worldwide urged to set TradFi standards

Industry officials say the incident is not unique to crypto. However, the Bithumb case — and the swift regulatory response in Korea — reflects a broader global shift toward applying the same operational risk frameworks used for traditional financial institutions to crypto infrastructure.

Syed Musheer Ahmed, founder and managing director of FinStep Asia, noted that regulators globally are moving to strengthen oversight of virtual asset service providers.

A good example, he said, is the updated market risk assurance and surveillance rules introduced by the Dubai Virtual Assets Regulatory Authority last year, as well as the European Securities and Markets Authority's revised Markets in Crypto-Assets Regulation guidelines on market supervisory practices.

"Bithumb was lucky that the error was trapped on its internal ledger and could be reversed in about 35 minutes, but from a supervisory standpoint ‘we managed to undo it’ is not a comfort metric when your systems can fabricate tens of billions in exposure in the first place," said Joshua Chu, lawyer, lecturer and co-chair of Hong Kong Web3 Association.

Chu added that in Hong Kong, if a licensed virtual asset exchange experienced a self-inflicted incident like Bithumb’s, regulators would treat it as a serious internal control breach — with potential consequences including public reprimand, financial penalties, tightening of license conditions and mandatory remediation supported by on-site inspections. In more severe cases, suspension of business or action against responsible individuals could follow if their fitness and propriety are called into question.

He also noted that as both Korea and Hong Kong build their virtual asset regulatory regimes on Financial Action Task Force foundations, such incidents would likely be analyzed through a similar lens.

Tim Sun, senior researcher at Hashkey Group, emphasized that treating asset protection and risk segregation with the same rigor as traditional financial institutions is key to operating an exchange. Hashkey Group operates Hong Kong's largest licensed crypto exchange, Hashkey Exchange.

According to Sun, the exchange keeps client and proprietary assets strictly separate, stores about 98 percent of client funds in cold wallets and enforces a “need-to-know” policy for access.

"Incidents like this are a reminder that as crypto goes mainstream, 'cool features' aren't what make an exchange competitive anymore," Sun said. "The real edge lies in resilience and risk governance."