South Korea's Financial Intelligence Unit (FIU) issued a preliminary notice on March 9, 2026, proposing a six-month partial business suspension against Bithumb, the country's second-largest cryptocurrency exchange by trading volume. The regulator also recommended a formal disciplinary reprimand against CEO Lee Jae-won, in what appears to be one of the first direct executive-level enforcement actions in South Korea's crypto history. The proposed sanctions follow a pattern of anti-money laundering (AML) failures uncovered during a broader sweep of domestic exchanges.

What the FIU Found

The FIU cited two specific compliance failures. First, Bithumb conducted transactions with overseas crypto platforms that were not registered with Korean authorities without reporting those dealings to regulators. Second, the exchange maintained inadequate Know Your Customer (KYC) and AML procedures, including insufficient customer due diligence (CDD), a standard that encompasses ongoing monitoring and beneficial ownership checks and goes beyond initial identity verification. The proposed six-month restriction is double the three-month partial suspension imposed on Upbit, South Korea's largest exchange, which was also fined approximately 35.2 billion Korean won (roughly $25 million USD) for comparable violations.

The scope of the proposed ban is limited. Existing users would retain full access to trading and Korean won deposits and withdrawals. The restriction would apply only to virtual asset transfers for newly registered users. A Bithumb official described the action as preliminary: "This measure is not a final sanction, but rather a preliminary notice, and there may be some adjustments during the sanctions review." The FIU's sanctions deliberation committee is scheduled to meet in mid-to-late March 2026 to issue a final ruling.

How the February Blunder Set This Off

The enforcement action follows a costly operational failure in February 2026. On February 6, 2026, a Bithumb staff member configuring a routine promotional rewards event called the "Random Box" campaign entered "BTC" instead of "KRW" in the payout field, accidentally crediting 695 users with approximately 620,000 BTC. The intended reward per user ranged from only ₩2,000 to ₩50,000 (approximately $1.37 to $34 USD), which makes the scale of the error all the more striking. The misallocated amount was worth between $40 and $44 billion at the time, or roughly 15 times Bithumb's actual Bitcoin holdings of around 42,000 BTC. Bitcoin prices on Bithumb fell 17% relative to global markets rapidly as recipients rushed to sell. The exchange froze trading and withdrawals within 35 minutes and recovered 99.7% of the misallocated funds. About 1,786 BTC, valued at over $170 million, was sold before the freeze; users who received and spent those funds are legally obligated to return them.

CEO Lee Jae-won testified before South Korean lawmakers on February 11, stating: "We are acutely aware of the deficiency in internal system control." Bithumb's own post-incident review identified a 24-hour lag in transaction processing, no asset-matching safeguard to verify payout amounts, and a lack of account segregation controls. Lawmakers compared the episode to the 2018 Samsung Securities ghost-stock incident, which triggered sweeping reforms in South Korean traditional finance.

A Broader Enforcement Pattern

Bithumb is not the only exchange facing scrutiny. Korbit received an institutional warning and a fine of 2.73 billion KRW. GOPAX is currently under review, while Coinone's case remains pending. The FIU's approach appears to be systematic, working through major exchanges one by one rather than responding to individual incidents. The entire campaign is unfolding against a backdrop of $110 billion in crypto capital that left South Korean domestic platforms in 2025, more than double the prior year's outflow, as users sought access to derivatives and other products not available under current rules.

What This Means for South Asia, Africa, and Emerging Markets

The case is relevant to regulators and exchange operators far outside South Korea. The specific violation involving unreported transactions with unregistered overseas platforms is particularly significant for Africa's crypto landscape, where peer-to-peer trading and informal cross-border channels are widespread. Regulators in Nigeria, Kenya, and South Africa are advancing FATF-aligned (Financial Action Task Force) compliance requirements for Virtual Asset Service Providers (VASPs). The SEC Nigeria, the Capital Markets Authority (CMA) in Kenya, and the Financial Sector Conduct Authority (FSCA) in South Africa are each pushing frameworks that mirror FATF travel rule and VASP registration standards. South Korea's willingness to penalize exchanges for exactly this type of cross-border oversight gap may accelerate enforcement in those markets.

For India, the parallel is structural. Indian crypto exchanges operate in a high-retail-activity environment with limited derivatives access, similar to South Korea's. India's FIU has already flagged compliance shortfalls at domestic Virtual Digital Asset service providers, and India implemented its own Travel Rule requirements in 2025 alongside a mandatory FIU-IND registration regime. Exchanges such as CoinDCX, WazirX (operating in a post-hack regulatory environment), and Mudrex now function within those constraints. The South Korean enforcement model, combined with the $110 billion capital flight warning, presents a direct case study in what happens when compliance burdens rise faster than product availability.

What Comes Next

South Korea's Financial Services Commission (FSC) is pushing forward on the Digital Asset Basic Act, a comprehensive legislative framework that has stalled over a dispute between the FSC and the Bank of Korea regarding stablecoin issuance rights. The Bank of Korea has insisted that only banks with 51% or greater ownership should be permitted to issue stablecoins, while the FSC has warned that this condition would stifle innovation. The FSC convened its first Virtual Asset Committee meeting of 2026 on March 4. The Act would introduce asset classification rules, issuer disclosure requirements, and no-fault liability provisions for operators. A separate provision under discussion would cap ownership stakes in major exchanges at 20%, a measure with direct implications for consolidation and merger activity across the sector. The Financial Supervisory Service (FSS) has also announced plans to deploy AI-powered surveillance tools for real-time detection of suspicious trading activity.

The FIU committee meeting in mid-to-late March will determine whether Bithumb's six-month suspension is confirmed, reduced, or modified. A final decision could reshape how domestic and international compliance teams approach cross-border reporting obligations and customer due diligence standards across the region.