South Korea cools on crypto oversight as strict liability rules loom
South Korea’s once-prominent Virtual Assets Committee (VAC) has quietly faded into the background, signaling a clear change in how the country is approaching digital assets. The committee, created roughly a year ago to help shape and coordinate crypto regulation, has not convened since May, according to local outlet Kookmin Ilbo.
Instead of pushing ahead with crypto-focused reforms, the government now appears more interested in traditional markets, particularly measures designed to boost the performance and appeal of domestic equities. Plans to relax restrictions on digital assets or deepen institutional participation in crypto have effectively been put on hold.
This policy reset comes in the wake of significant political upheaval. After the impeachment of President Yoon Suk-yeol, who was seen as more open to crypto-friendly reforms, his successor Lee Jae-myung has moved in a different direction. Under Lee, the focus has shifted toward cooperation between lawmakers and the powerful Financial Services Commission (FSC), rather than continuing to rely on the VAC as a central crypto policy hub.
As a result, earlier ambitions now look increasingly unrealistic. One notable example is the roadmap that envisioned allowing publicly listed companies on the Korean stock market to hold crypto on their balance sheets by 2025. With the VAC effectively mothballed and priorities redirected, that timeline appears unlikely to be met, if it remains a goal at all.
At the same time, regulators are moving aggressively to tighten the rules for crypto exchanges themselves. Authorities have announced a plan to introduce strict liability standards for digital asset platforms, a shift that would drastically raise the legal and financial stakes for operators. This move is a direct response to a series of security incidents, most prominently a high-profile hacking attack on Upbit, South Korea’s largest crypto exchange.
The FSC has confirmed that these measures will be written into upcoming legislation focused on virtual assets, with an explicit goal: strengthen investor protection and close longstanding regulatory gaps. Under the strict liability principle being considered, exchanges could be required to compensate users for losses caused by hacking or system failures, even if the exchange cannot be shown to have been negligent or at fault.
Legal experts describe this as a fundamental change in how responsibility is allocated. Rather than forcing consumers to prove that an operator acted improperly, the burden shifts to the company. Unless a user is found to have acted with gross negligence—such as deliberately ignoring basic security procedures—platforms would bear the cost of incidents that result in customer losses.
South Korea already uses strict liability in other high-risk sectors. It is a familiar tool in cases such as automobile accidents and hazardous industrial operations, where individuals are unlikely to have the power or information to fully protect themselves. Extending that same logic to crypto suggests regulators increasingly view digital asset trading as a systemically sensitive activity that demands robust safeguards.
Currently, however, crypto exchanges sit outside the scope of South Korea’s Electronic Financial Transactions Act, which governs banks and other traditional financial institutions. That exclusion has created a regulatory blind spot. While stock brokers and payment providers must meet detailed security and operational standards—and can be held liable when they fail—crypto platforms have operated in a more ambiguous space.
The Upbit incident exposed the risks of that ambiguity. On November 27, between 4:42 and 5:36 KST, attackers were able to siphon large quantities of Solana-based tokens from the exchange to external wallets during a 54-minute window. Although Upbit took measures to contain the breach and investigate, regulators discovered that there was no clear statutory basis to directly penalize the platform under the existing Virtual Asset User Protection Act.
Data compiled by authorities shows this was not an isolated event. Between 2023 and September 2025, five major Korean exchanges reported 20 separate cyber incidents that together affected more than 900 users. Upbit alone recorded six attacks impacting 616 customers. Bithumb reported four cases affecting 326 users, while Coinone disclosed three incidents that hit 47 users. These numbers, taken from supervisory data, have helped fuel calls for tougher oversight.
Lee Chan-jin, head of the Financial Supervisory Service (FSS), has been explicit about the stakes. He described system security as “the lifeblood of virtual resource markets,” underscoring that without reliable platforms, investor confidence—and by extension market growth—cannot be sustained. His remarks helped pave the way for the proposed strict liability framework and the broader regulatory overhaul.
Under the new rules being drafted, crypto exchanges would be held to the same general security and operational standards that apply to traditional financial firms. This would include requirements to maintain sufficient qualified staff, appropriate facilities, and resilient IT infrastructure capable of withstanding cyberattacks and operational stress. Platforms would also need to file annual technology and security plans with regulators, providing ongoing transparency into how they manage risk.
Financial penalties are also set to become far more severe. Proposed amendments envision fines of up to 3% of an exchange’s annual turnover in cases of serious violations—a level that would make regulatory compliance integral to business strategy rather than an afterthought. For larger platforms, such fines could amount to tens of millions of dollars, creating a powerful incentive to invest heavily in cybersecurity and internal controls.
Market observers widely expect the legislative package to move quickly through the National Assembly. The ruling party has signaled strong support for sharper investor protection, betting that a firm regulatory stance will be more politically attractive than efforts to court the crypto industry with deregulation. In anticipation, many exchanges are already reassessing their approach to compliance, risk management and insurance coverage.
For the crypto sector, this marks a mixed turning point. On one hand, the dormancy of the VAC and the shelving of ambitious integration plans—such as enabling listed companies to hold digital assets—suggest a cooling of institutional enthusiasm. The narrative of South Korea as a potential trailblazer in mainstream crypto adoption has clearly been tempered.
On the other hand, the introduction of strict liability and tighter security standards could ultimately make the market more credible in the eyes of both domestic and foreign investors. A legal framework that clearly spells out responsibilities and consequences might reduce the perception that crypto trading is a “wild west” activity, instead aligning it more closely with established financial norms.
Exchanges, however, face a difficult balancing act. Compliance with strict liability expectations will likely require substantial investment in infrastructure: advanced intrusion detection systems, regular security audits, upgraded cold storage solutions, incident response teams and robust user authentication. Smaller platforms may struggle to absorb these costs, potentially accelerating consolidation in the industry as weaker players exit or are acquired.
User behavior will also come under the microscope. While strict liability shifts most of the burden to exchanges, the exception for gross negligence means individuals will still need to adopt basic safeguards, such as using strong passwords, enabling two-factor authentication and being alert to phishing schemes. Disputes over whether a customer acted “recklessly” are likely to test the boundaries of the new rules once they are implemented.
The regulatory shift also reshapes the broader investment landscape in South Korea. By prioritizing stock market reforms and investor protection over crypto liberalization, policymakers are signaling that capital markets modernization and stability outweigh the push to foster a high-risk, fast-moving digital asset sector. This may redirect institutional capital toward tokenized financial products, regulated derivatives or blockchain-based infrastructure built firmly within existing financial rules, rather than speculative trading on centralized exchanges.
In the longer term, South Korea’s approach could serve as a template for other jurisdictions grappling with the same dilemma: how to encourage innovation in digital assets while minimizing the damage from hacks, frauds and system failures. If the strict liability regime succeeds in reducing incidents and restoring trust without suffocating legitimate business, it may be seen as a viable middle path between outright bans and laissez-faire regulation.
For now, though, the message is clear. Crypto in South Korea is no longer at the center of the policy conversation. The once-active Virtual Assets Committee is effectively on ice, while the real momentum is behind tough new obligations for exchanges and a strategic emphasis on shoring up conventional financial markets. Whether that trade-off ultimately benefits investors and the broader economy will become apparent only as the new rules take hold and the industry adapts—or fails to.