South Korea is preparing to apply bank-level, no-fault liability standards to cryptocurrency exchanges following a major breach at Upbit that authorities have attributed to North Korea’s Lazarus Group. The Financial Services Commission (FSC) is reviewing rules that would require virtual asset service providers (VASPs) to compensate users for losses from hacks or system failures regardless of fault, aligning crypto platforms with protections already mandated for banks and electronic payment firms.
FSC weighs no-fault compensation for exchanges
The FSC is considering provisions that would obligate crypto exchanges to reimburse customers for losses stemming from security incidents or operational outages, even when the platform is not directly at fault. This approach mirrors the no-fault compensation standard under South Korea’s law governing electronic financial transactions, which currently covers financial institutions and e-money providers. The review follows heightened scrutiny of exchange security and consumer protection after the recent Upbit incident.
Upbit breach and operational response
On November 27, Upbit detected abnormal withdrawals on the Solana network at approximately 4:42 a.m. KST. Investigators say about 44.5 billion won (roughly $30 million) in digital assets were transferred to external wallets within 54 minutes. Upbit halted deposits and withdrawals, deleted existing deposit addresses, and required users to generate new ones as the company rebuilt parts of its wallet infrastructure.
Upbit said it uncovered and repaired a flaw in its internal wallet system during the investigation and pledged full coverage for customer assets. The exchange announced it would resume digital asset transfers on December 1 after reinforcing security controls. Separate media reports cited the operator, Dunamu, as indicating the theft involved a Solana wallet vulnerability; the company has not publicly detailed the technical exploit.
Attribution to Lazarus and ongoing supervision
South Korean authorities have attributed the attack to the Lazarus Group, alleging the hackers impersonated administrative personnel to facilitate unauthorized transfers and then deployed laundering tactics to move the funds. The Financial Supervisory Service has conducted on-site reviews through December 5, with additional regulatory pressure expected to strengthen custody and key-management standards across the industry.
Policy outlook and broader implications
The Upbit incident has intensified debate over digital asset risk management and consumer safeguards in South Korea as the government advances broader crypto regulation. Officials have set January 2026 as the target for passing the Digital Asset Basic Act, a framework expected to address stablecoins, market integrity, and custody requirements. Extending no-fault liability to VASPs would mark a significant shift, aligning crypto platforms with the accountability standards applied to traditional financial services.