What Bithumb's Fine Reveals About Crypto Withdrawals

A couple of days ago, several outlets reported that South Korea's Personal Information Protection Commission (PIPC) had fined crypto exchange Bithumb for violations related to cross-border personal data transfers.

At the time, I didn't pay much attention - it seemed like routine news. But today I looked into the Commission's press release, and it turned out there was something rather unusual in it. The press release is available here in Korean. I ran it through several AI tools, and they all came back with the same reading.

One of the issues raised against Bithumb was this: when transferring assets to 13 foreign exchanges, Bithumb was sharing personal data about both the sender and the recipient - specifically names, wallet addresses, and in one case, a date of birth. The exchange attributed this to AML requirements. If the AI translation is accurate, this data sharing happened as part of the asset transfer process itself ("Bithumb transmitted data when transferring assets").

Technically, the only framework I can picture this fitting into is the Travel Rule. When Bithumb receives a withdrawal request, it asks the customer who owns the destination address. If the customer names another exchange as the owner, Bithumb contacts that exchange and passes along the sender's details. That's really the only way to explain how Bithumb would even have the recipient's name to begin with.

Which raises an obvious question: is it realistic that Bithumb does this while other exchanges don't? That seems hard to believe. My guess is that this kind of data sharing only works on a reciprocal basis - meaning that when you hand your information to one exchange, it could end up accessible to at least thirteen others, if you withdraw funds to addresses belonging to those exchanges.

Bithumb was fined specifically because it had not obtained user consent for any of this. But do other exchanges? Have you ever even heard of exchanges sharing sender personal data during crypto transfers? I hadn't - and South Korea's PIPC appears to be the first authority to say so publicly.

Just a reminder: when you exchange crypto on rabbit.io, we don't collect your personal data. Which means we simply have nothing to share with anyone. Worth keeping in mind.