[Alpha Biz= Paul Lee] Following a KRW 44.5 billion (approximately USD 330 million) hacking incident at Upbit, South Korea’s largest cryptocurrency exchange, financial authorities have begun a legal review to determine whether sanctions can be imposed, placing the exchange’s security practices under intense scrutiny.
As sanctions cannot be imposed under the current Electronic Financial Transactions Act (EFTA), regulators are instead focusing their review on potential violations of the Virtual Asset User Protection Act.
According to financial industry sources on the 16th, authorities are currently conducting an on-site inspection into the Upbit hacking incident.
The hack, which occurred on November 27, involved the theft of KRW 44.5 billion in digital assets over a span of just 54 minutes, from 4:42 a.m. to 5:36 a.m. Of the total losses, KRW 38.6 billion belonged to customers, while KRW 5.9 billion were assets owned by Upbit.
Authorities are responding with heightened concern, as this marks the second major hacking incident at Upbit in six years. In 2019, the exchange also suffered a hack in which KRW 58 billion worth of Ethereum was stolen.
A key challenge lies in the lack of legal grounds for sanctions under the EFTA. While the law requires financial institutions to take proactive measures against electronic financial transaction breaches, cryptocurrency exchanges are not classified as financial institutions under the Act.
As a result, regulators are examining whether Upbit violated provisions of the Virtual Asset User Protection Act, which primarily focuses on safeguarding user assets and regulating unfair trading practices rather than directly addressing hacking incidents.
Despite potential legal disputes over interpretation, authorities plan to assess whether Upbit failed to meet obligations related to user asset protection and the proper reporting of financial incidents.
In particular, regulators are closely reviewing allegations that Upbit delayed reporting the hacking incident to financial authorities. Under the Virtual Asset User Protection Act, virtual asset service providers are required to promptly notify regulators when suspicious or abnormal transactions are detected.
If no legal violations are identified during the inspection, authorities may be unable not only to impose sanctions but also to proceed with a formal regulatory investigation.
Alphabiz Reporter Paul Lee(hoondork1977@alphabiz.co.kr)
