South Korea’s Financial Services Commission (FSC), through its Korea Financial Intelligence Unit (KoFIU), imposed a 2.73 billion won ($1.9 million) fine on cryptocurrency exchange Korbit for multiple breaches of anti-money laundering (AML) regulations. The penalties, announced on December 31, 2025, followed an on-site inspection conducted from October 16 to 29, 2024, which uncovered systemic compliance failures. These violations primarily involved the Specific Financial Transaction Information Act, including inadequate customer identification, unauthorized transactions with overseas operators, and skipped risk assessments.
Incident overview
The sanctions extend beyond the monetary fine to include an institutional warning for Korbit, a warning for its chief executive officer, and reprimands for compliance officers responsible for reporting obligations. Korbit, ranked as South Korea’s fourth-largest crypto exchange by trading volume, allowed approximately 22,000 transactions without completing required customer due diligence procedures. Regulators highlighted 19 cryptocurrency transfers to three unregistered overseas virtual asset service providers (VASPs) and 655 instances of failing to perform mandatory AML risk evaluations, particularly for new services like NFTs.
This action underscores the FSC’s commitment to rigorous oversight in the virtual asset sector, signaling that even established platforms face severe repercussions for lapses that could facilitate illicit finance. The KoFIU’s sanctions committee deliberated on these findings, emphasizing Korbit’s role in exposing the market to money laundering risks through weak internal controls.
Regulatory framework
South Korea enforces stringent AML rules for crypto exchanges under the Act on Reporting and Using Specified Financial Transaction Information, commonly known as the Specific Financial Transaction Information Act. This legislation mandates VASPs to conduct thorough customer due diligence (CDD), restrict transactions for incomplete verifications, prohibit dealings with unreported foreign VASPs, and perform pre-launch risk assessments for new products. Violations trigger inspections by the KoFIU, which operates under the FSC, leading to fines, warnings, and personnel sanctions.
Complementing this is the Virtual Asset User Protection Act (VAUPA), effective July 19, 2024, which aims to safeguard user assets, curb unfair trading, and empower regulators with supervisory powers over VASPs. VAUPA requires separate account management for deposits, insurance enrollment against hacks, and five-year retention of transaction records, with extensions possible. It builds on prior frameworks by authorizing on-site audits and penalties for non-compliance, reflecting South Korea’s proactive stance post-global crypto scandals like FTX.
These laws align with Financial Action Task Force (FATF) standards, classifying crypto as high-risk for money laundering and terrorist financing. The FSC and Financial Supervisory Service (FSS) coordinate enforcement, issuing guidelines for KYC protocols and suspicious activity reporting to foster a “sound market order.”
Specific violations
Korbit’s primary infraction involved 22,000 cases where it permitted trading without full customer identification, breaching CDD obligations under the Specific Financial Transaction Information Act. Customers with elevated money laundering risks due to assessments were not subjected to additional scrutiny, allowing unrestricted access. This systemic failure exposed the platform to potential abuse by unverified users.
Additionally, the exchange facilitated 19 virtual asset transfers with three overseas VASPs that had not reported to Korean authorities, violating transaction bans on unregistered entities. Korbit also neglected 655 required AML risk assessments, notably for NFT services and cross-border activities, indicating inadequate preparation for emerging risks. Regulators noted these lapses demonstrated “major compliance weaknesses” in internal controls.
The October 2024 inspection revealed these issues across customer verification, transaction limits, and risk management, with no evidence of intentional misconduct but clear procedural negligence. Such breaches heighten vulnerability to illicit flows, prompting the KoFIU’s decisive response.
Korbit’s background
Founded in 2013, Korbit pioneered South Korea’s crypto market as the first BTC/KRW fair trading platform and Korea Bitcoin Exchange. It achieved milestones like launching the world’s inaugural KRW-based Bitcoin beta service in April 2013 and full operations by July. Acquired by NXC Corporation (Nexon parent) in September 2017, Korbit ranks third or fourth in domestic trading volume per CoinMarketCap data.
Headquartered in Seoul’s Gangnam-gu, Korbit restricts services to Korean residents, using KRW as its primary fiat and Korean interface. In 2022, it proactively disclosed all held assets amid FTX concerns, the first such transparency in Korea and blocked Russian IPs amid sanctions. Despite innovations, it faced prior regulatory scrutiny, positioning this fine amid ongoing compliance pressures.
Korbit’s evolution from startup to major player highlights its market influence, yet repeated oversight lapses underscore challenges in scaling AML amid rapid growth. Current talks to sell a stake add context to this penalty’s timing.
Broader implications
This fine exemplifies South Korea’s intensified AML crackdown, with inspections targeting major exchanges like Upbit and Bithumb since 2024, projecting fines in hundreds of billions of won by mid-2026. Uniform penalties ensure no platform evades accountability, protecting market integrity amid crypto’s growth.
For Korbit, the $1.9 million hit, significant for its scale, could strain operations, deter investors, and complicate stake-sale negotiations. Personnel sanctions may spur leadership changes, while public warnings amplify reputational damage in a trust-dependent sector. Industry-wide, it accelerates compliance investments in KYC tech and audits.
Globally, it reinforces FATF-aligned enforcement, deterring illicit crypto use and boosting investor confidence. However, overzealous regulation risks stifling innovation in a market where South Korea leads retail adoption.
The KoFIU plans systematic follow-ups on other inspections, vowing “strict penalties” for serious breaches to enhance VASPs’ AML capabilities. Korbit receives at least 10 days to respond before finalizing fines, potentially mitigating amounts via defenses.
Exchanges face heightened scrutiny under VAUPA, with FSS/FSC pushing insurance, record-keeping, and unfair trading curbs. Korbit must overhaul CDD, risk assessments, and VASP reporting to avoid recurrence, possibly adopting AI-driven monitoring.
Long-term, this fosters a mature ecosystem, aligning crypto with traditional finance. Yet, sustained enforcement could consolidate the market around compliant giants, shaping South Korea’s role in global digital assets.