South Korean cryptocurrency exchange Bithumb accidentally gave away a staggering 620,000 bitcoins worth a total of over $40 billion earlier in the year, triggering a hasty selloff at the exchange.
The accident was caused by a surprisingly simple operational error: the exchange had intended to distribute small cash rewards worth upwards of 2,000 Korean won (US$1.40) to each user during a promotional event. However, the prize amounts were accidentally entered in bitcoin instead of Korean won. At the time, one bitcoin was worth approximately $70,000. Bithumb hastily restricted trading and withdrawals within 35 minutes, allowing them to recover about 99.7% of the miscredited amount—leaving over $120 million being sold or withdrawn before affected accounts were frozen. The event provoked a sharp, exchange-local price drop.
Most crypto exchange crises sound like (and indeed are) cybersecurity breaches, including incidents like stolen keys or smart contract exploits. Bithumb was quick to admit that the incident was not due to a hack, but an internal operational control failure. Specifically, the incident involved nothing more than a typo and controls failing to pick up the absurdly high payout. Clearly, the incident highlights an urgent need for exchanges to prove they can operate like critical financial infrastructure—complete with guardrails and multiple levels of accountability that assume humans make mistakes.
The Bithumb incident also highlights the ledger versus reality problem, which is something regulators are especially worried about. User balances are ultimately nothing more than internal ledger entries until assets move on chain. As such, the erroneous credit amounts dwarfed what the exchange actually held, raising serious concerns about what the system allows to be ‘true’ on the ledger versus what is actually available to settle or withdraw. In other words, if ledgers can be accidentally inflated, there absolutely needs to be a way to instantly contain the incident before it impacts the market integrity.
In the case of Bithumb, the market impact resulted in a short, albeit temporary price drop due to some recipients selling quickly within the half hour before mitigation controls kicked in. While the incident did not break the platform, it quickly caught the attention of regulators, who are increasingly wary of the potentially massive impacts of such incidents should they occur on a bigger scale.
For cryptocurrency fintechs, the incident serves as a sobering reminder of the systemic vulnerabilities in the space. It makes clear that dependable operational controls are now a commercial requirement and that ‘operations risk’ is now a top risk category for the sector. While cybersecurity is widely touted as the biggest threat to crypto, fintechs should prepare to invest more on mission-critical features like treasury controls, reconciliation, automation, and incident response. After all, regulators are cracking down, pushing for tougher internal controls that are genuinely capable of protecting consumers and investors from the inherent risks of crypto.