South Korean regulators are pushing strict no-fault liability rules on cryptocurrency exchanges, following a $28 million hacking incident at Upbit, the nation’s largest exchange.
The Financial Services Commission will include these measures in its subsequent legislation for virtual assets.
SponsoredTradFi Regulation Applies As Current One Falls Short
No-fault liability is a legal principle requiring compensation without proving negligence or wrongful conduct. Victims receive quick, predictable payouts without the burden of proving who was at fault. This approach is commonly applied to motor vehicle accidents and hazardous industrial activities.
Under proposed rules, exchanges must compensate users for losses from hacking or system failures. Liability applies regardless of the company’s fault, unless users acted with gross negligence. This mirrors the country’s regulations governing traditional financial institutions under the Electronic Financial Transactions Act.
Currently, crypto exchanges fall outside the Act’s jurisdiction. This creates a regulatory blind spot, leaving investors without legal protection. The recent Upbit incident highlighted this vulnerability, sparking urgent calls for reform.
Governor Lee Chan-jin of the Financial Supervisory Service acknowledged the gap at a recent press conference. He stated that system security is the lifeline of virtual asset markets. Phase 2 legislation will significantly strengthen these protections.
Data reveals the full scope of the problem. Between 2023 and September 2025, five major exchanges reported 20 IT incidents. Over 900 users suffered combined damages exceeding $29 million.
Upbit alone accounted for six incidents affecting 616 users. Bithumb reported four incidents impacting 326 users. Coinone experienced three incidents, affecting 47 users.
SponsoredUpbit Discloses Regulatory Weakness
The Upbit breach exposed major weaknesses in Korea’s crypto oversight framework. One hundred billion coins were transferred out in less than an hour, highlighting how rapidly growing digital asset markets can experience massive losses in a very short time when attacks occur.
According to data submitted by the FSS to the National Assembly’s National Policy Committee, the Upbit hack occurred from 4:42 am to 5:36 am on November 27 KST, lasting 54 minutes. During this period, 24 types of Solana-based coins totaling about 104,064,700,000 units, worth roughly 44.5 billion won, were sent to external wallets, meaning around 32 million coins, or about 13.7 million won, were siphoned off every second.
Despite significant losses, regulators found no legal basis to penalize exchanges. Under current law, including the Virtual Asset User Protection Act, enacted last year, it is challenging to hold virtual asset service providers directly liable for such hacks, so financial authorities have been reviewing options to close this regulatory gap.
Tougher Standards and Penalties Ahead
New legislation will require crypto businesses to meet the same security standards as traditional financial institutions. Exchanges must maintain adequate staffing, facilities, and robust IT infrastructure. Annual technology plans must be submitted to regulators for review.
Penalties will increase dramatically under the proposed framework. Current fines are capped at roughly $3.5 million. Proposed amendments could allow fines up to 3% of annual revenue.
Industry observers expect swift legislative action. The ruling party has signaled strong support for investor protection measures. Exchanges are now preparing compliance strategies in anticipation of regulatory changes.
