The South Korean government has announced plans to significantly increase the liabilities of cryptocurrency exchanges, a move prompted by the recent attack that impacted Upbit. The government is aiming to implement bank-level, no-fault compensation rules for exchanges, indicating that this development is a direct response to the breach.
Market observers suggest that this new development is also a consequence of the existing lack of a comprehensive regulatory framework within South Korea's digital asset industry. With this proposed change, cryptocurrency exchanges are expected to be regulated similarly to traditional financial institutions, with the Korean government applying the same level of scrutiny concerning compliance, consumer protection standards, and overall regulatory guidelines for the Korean crypto industry.
Korean Government Seeks to Improve Oversight in the Crypto Industry
According to reports, the Financial Services Commission (FSC) is exploring provisions that would mandate Korean virtual asset providers, or exchanges, to compensate users for losses incurred due to hacks or system failures. This proposed compensation would apply irrespective of whether the exchange is deemed at fault. This no-fault compensation standard is currently in practice for financial firms and electronic payment firms under the existing law governing financial transactions.
The impetus for this new development appears to be the hack incident that occurred on November 27, involving Upbit. During this incident, over 104 billion Solana-based tokens, valued at approximately 44.5 billion won ($30.1 million), were transferred to external wallets within minutes. The perpetrators managed to steal various tokens, including Bonk, Solana, Pudgy Penguins, and the Official Trump token. However, despite the breach, the exchange has faced minimal penalties.
This limited recourse is attributed to the current legal framework, which does not empower regulators to compel the exchange to compensate victims of the hack. With the impending update, the FSC would gain the authority to hold cryptocurrency exchanges liable for compensating victims, aligning their obligations with those faced by traditional financial entities in the event of hacks or system failures. This initiative is also being undertaken amidst numerous system failures reported across the broader cryptocurrency sector.
Lawmakers Preparing to Release Updated Draft Regulations
In data submitted by the Financial Supervisory Service (FSS) to lawmakers, the five major Korean crypto exchanges—Upbit, Bithumb, Coinone, Korbit, and Gopax—collectively experienced 20 system failures between 2023 and September 2025. These incidents affected over 900 users, resulting in combined losses amounting to 5 billion won. Upbit alone was involved in six of these incidents, impacting more than 600 victims and causing losses totaling approximately 3 billion won.
The draft legislation is anticipated to incorporate requirements aimed at enhancing security measures. These are expected to include mandatory IT security infrastructure plans, significantly stricter penalties, and upgraded standards for both systems and personnel. Lawmakers are currently considering a revision that would permit firms to be fined up to 3% of their annual revenues for hacking incidents at crypto exchanges, mirroring the standards applied to traditional financial institutions.
Currently, the maximum fine applicable to crypto exchanges is capped at 5 billion won. The Upbit incident has also highlighted concerns regarding delayed reporting. Reports indicate that the hack was detected around 5 AM on November 27, but Upbit did not report the incident to the FSS until 10:58 AM, a delay of nearly six hours. Consequently, some Korean lawmakers have suggested that the exchange may have intentionally withheld the information until after a scheduled merger between Dunamu and Naver Financial was completed.
In response, the FSS is investigating the breach. However, reports suggest that the exchange might not face severe sanctions. FSS Governor Lee Chan-Jin acknowledged the gravity of the incidents and the limitations of current oversight, stating, "The hacking is not something we can overlook. However, regulatory oversight clearly has limits in imposing penalties."