South Korea: mandatory liability for crypto exchanges

South Korea's regulators are pushing for strict strict strict liability (or 'no-fault liability') rules for cryptocurrency exchanges, a decisive move that follows the serious $28 million hacking incident suffered by Upbit, the nation's largest exchange.

The Financial Services Commission (FSC) has confirmed that it will include these measures in its subsequent virtual asset legislation, in an attempt to drastically strengthen investor protection.

What is Objective Liability

The strict Liability is a legal principle that requires compensation without the need to prove negligence or wrongful conduct. This mechanism guarantees quick and predictable compensation to victims by removing the burden of proving culpability.

업비트 해킹에...금융당국, 가상자산업권에도 '무과실 배상' 추진 | 연합뉴스

(서울=연합뉴스) 임수정 강수련 기자 = 가상자산 거래소에서 해킹-전산 사고가 발생할 경우 금융회사와 동일하게 사업자에게 '무과실 손해배상 책...

연합뉴스강수련

This approach is already commonly applied in South Korea to high-risk industries such as car crashes and hazardous industrial activities.

Under the proposed new rules, exchanges will have to compensate users for losses resulting from hacking or system failures. Liability will be triggered regardless of the company's fault, unless users have acted with gross negligence.

This regulatory scheme mirrors the regulations for traditional financial institutions in the country, enshrined in the Electronic Financial Transactions Act. Currently, crypto platforms lie outside the jurisdiction of that Act, creating a dangerous 'grey area' that leaves investors without legal protection.

The Alarm Raised by Data

The recent Upbit incident crucially highlighted this vulnerability, triggering an urgent need for reform. Governor Lee Chan-jin of the Financial Supervisory Service (FSS) publicly acknowledged the gap, emphasising that system security is "the lifeblood of virtual resource markets".

The data collected show the full extent of the problem. Between 2023 and September 2025, five major exchanges reported 20 cyber incidents. In total, more than 900 users suffered total damages exceeding $29 million. Specifically:

• Upbit: recorded six incidents, affecting 616 users.
• Bithumb: reported four incidents impacting 326 users.
• Coinone: experienced three incidents, affecting 47 users.

The detail of the Upbit attack on 27 November KST is staggering: the hack occurred from 4:42 to 5:36, lasting just 54 minutes. During this time, 104,064,700,000 units of 24 types of Solana-based coins, worth about 44.5 billion won, were transferred to external wallets.

Despite the huge losses, regulators have found no legal basis to directly sanction exchanges under the current Virtual Asset User Protection Act.

Stricter Security Standards and Increased Sanctions

The new legislation will require crypto assets to meet the same security standards as traditional financial institutions. Exchanges will be required to maintain adequate staff, facilities and a robust IT infrastructure and will be obliged to submit annual technology plans to regulators.

Fines are set to increase significantly under the proposed framework. Currently, fines are limited to approximately $3.5 million. The proposed amendments could allow fines of up to 3% of companies' annual turnover.

Industry observers anticipate swift legislative approval, with the ruling party expressing strong support for investor protection measures. Exchanges are now preparing to adjust their compliance strategies for the upcoming changes.