The Context
On 10 February 2026, Bithumb, South Korea’s second-largest cryptocurrency exchange, executed a catastrophic operational failure. A single employee entered a promotional value in bitcoin instead of Korean won. This data entry error converted a $423 giveaway into a $42 billion liability, erroneously crediting 620,000 bitcoins to customer accounts. The exchange’s systems failed to detect the currency-unit discrepancy. Some customers sold the assets before accounts were frozen, creating market volatility and leaving approximately $9 million unrecovered. Regulators have labelled the incident “catastrophic.”
The Risk
This is not a simple mistake. It is prima facie evidence of a systemic governance failure. Directors may be personally liable for a breach of their duty of care, skill, and diligence under section 137 of the Companies Act 1993. The failure to implement basic transaction verification controls—a multi-stage approval process for high-value disbursements—constitutes operational negligence. Under the Health and Safety at Work Act 2015, a director’s duty extends to ensuring, so far as is reasonably practicable, that the business does not conduct activities that risk financial harm. The board’s oversight of critical payment systems was demonstrably inadequate. The exchange’s public plea for voluntary returns “to avoid lawsuits” is a direct admission of civil liability exposure. Regulatory hearings will scrutinise this governance vacuum. Maximum penalties under the relevant Acts are severe.
The Control
Governance must be engineered, not assumed. The board must mandate and verify the existence of a failsafe technical and procedural control framework for all financial transactions. This requires segregation of duties, multi-factor authorisation protocols for sums exceeding a defined threshold, and real-time algorithmic validation of currency units and decimal places. The control system itself must be subject to independent, forensic audit. Your duty is to prove the system’s integrity.
The Challenge
These are the critical questions you should be raising at the board table:
| Can you demonstrate, with audit evidence, the specific technical and human checkpoints that would have prevented a single data-entry error from creating a multi-billion dollar liability? | |
| What is the maximum financial exposure from a single erroneous transaction our systems permit, and on what legal basis do we accept that level of risk? | |
| When was our payment system’s control framework last stress-tested by an external party, and what were the findings? |