South Korea Imposes Bank-Level Liability on Crypto Exchanges Post-Upbit Hack

South Korea is preparing to impose bank-level, no-fault liability rules on cryptocurrency exchanges following the recent breach at Upbit. The Financial Services Commission is reviewing new provisions that would require exchanges to compensate customers for losses from hacks or system failures, even when the platform is not at fault.

This no-fault compensation model is currently applied to banks and electronic payment firms under Korea's Electronic Financial Transactions Act. The regulatory push comes after a November 27 incident involving Upbit, operated by Dunamu, where over 104 billion Solana-based tokens, worth approximately 44.5 billion won, or $30.1 million, were transferred to external wallets in under an hour.

Regulators are also responding to a pattern of system outages at major exchanges, with data showing that South Korea's five major exchanges reported 20 system failures in 2023, impacting over 900 users and causing more than 5 billion won in combined losses.

Upbit alone recorded six outages affecting 600 customers. The upcoming legislative revisions are expected to mandate stricter IT security requirements and higher operational standards, with lawmakers considering fines of up to 3% of annual revenue for hacking incidents, the same threshold used for banks.

Currently, crypto exchanges can face a maximum fine of $3.4 million. The Upbit breach has also drawn political scrutiny over delayed reporting, as the exchange detected the hack shortly after 5 AM but did not notify the Financial Supervisory Service until nearly 11 AM.

Some lawmakers allege that this delay was intentional, occurring shortly after Dunamu finalized a merger with Naver Financial. In addition, South Korean lawmakers are pushing for a draft stablecoin bill by December 10, warning they will proceed without government input if the deadline is missed, following slow progress and repeated delays.