As virtual asset (coin) transactions increase, exchanges such as Upbit and Bithumb are raking in massive profits, but they are drawing controversy for notifying hacks late or changing their words belatedly after attracting customers with events.
The Financial Supervisory Service is investigating a 44.5 billion won hack that occurred at Upbit on the 27th. The government and authorities are leaving open the possibility that it was carried out by Lazarus, a hacking group affiliated with North Korea's Reconnaissance General Bureau. Lazarus is suspected of involvement when 58 billion won worth of Ethereum kept at Upbit was stolen in 2019. The stolen Ethereum at the time totaled about 342,000 coins, worth more than 1.5 trillion won at current prices. The on-site probe by the Financial Supervisory Service will continue at least through next week.
Upbit announced the previous day at 8:55 a.m. that it would restrict deposits and withdrawals due to an "emergency inspection." It was not until 12:33 p.m. afterward that it announced that virtual assets worth 44.5 billion won had been transferred to an unknown external wallet.
Under the Virtual Asset User Protection Act, if an exchange blocks a user's virtual asset deposits or withdrawals, it must notify users in advance of the reason and report it to the authorities immediately. Dunamu identified the hack that morning and informed the Financial Supervisory Service, but posted the notice in the afternoon. When Upbit identified the hack, it was holding a press briefing explaining the merger process with Naver Financial. Because of this, some noted that the company hid the hack to avoid affecting a major event.
Bithumb has been embroiled in controversy over a transaction event recently. Bithumb users are filing complaints with the Financial Supervisory Service, saying Bithumb added criteria at its own discretion after posting the event notice and is not paying out rewards.
Starting on the 10th, Bithumb said it would pay a 100,000 won linkage subsidy to all customers with no API (application programming interface) transaction history and refund trading fees. The Bithumb API is a function disclosed so users can easily access various features provided by Bithumb, such as price listings and order book inquiries.
According to the notice, investors can receive it by obtaining a key for API use and making a transaction in the won market. However, during the payment screening process, the company changed it to exclude one-off transactions and require "continuous and normal use."
Under the Financial Investment Services and Capital Markets Act and related regulations, unilaterally changing event conditions after posting them or excluding one-off transactions could be problematic as an unsound business practice or false or exaggerated advertising. However, there are no clear standards for virtual assets.
For years, there have been pointed remarks that exchanges are not classified as financial companies and that the ambiguous status of virtual assets leaves them in a regulatory blind spot. The financial authorities plan to push phase two of the Virtual Asset User Protection Act to strengthen user protection by regulating market entry and business conduct and managing stablecoins.