South Korea’s DAXA Cracks Down on Crypto API Abuse

• DAXA mandates Upbit, Bithumb, Coinone, Korbit, and Gopax to invalidate suspicious shared API keys.
• Automated trading accounts for 30% of Korean crypto volume, making API governance a systemic issue.
• Exchanges must now monitor, warn, re-verify, and force-expire API keys based on risk level detected.

South Korea’s Digital Asset Exchange Alliance (DAXA) has established mandatory compliance standards requiring the country’s major cryptocurrency exchanges to detect and invalidate API keys suspected of being improperly shared or lent between users.

The policy, announced May 28, targets a specific exploitation method that has been used to facilitate price manipulation and unfair trading practices across Korean crypto markets. DAXA member exchanges, including Upbit, Bithumb, Coinone, Korbit, and Gopax, are all subject to the new standards.

Why This Matters

API keys are access credentials that allow users and external programmes to interact with exchange accounts, placing orders, checking balances, and executing withdrawals without manual login. When lent or shared with third parties, they become a tool for coordinated trading activity that can manipulate prices while obscuring who is actually behind the trades.

The Financial Supervisory Service of Korea said that automated trading currently accounts for approximately 30% of cryptocurrency trading volume in the country, making API key governance a systemic market integrity issue rather than an edge case.

What Exchanges Must Now Do

Under the new standards, exchanges are required to implement a layered response framework based on risk level:

• Enhanced monitoring of API key activity patterns flagged as suspicious
• Warning notifications are issued to users when abnormal sharing behaviour is detected
• Identity re-verification requirements triggered by suspicious activity
• Forced API key expiration for confirmed cases of improper lending
• IP address whitelisting allowing API access only from pre-registered addresses

The IP whitelist requirement is particularly significant. It means even if an API key is shared, it cannot be used from an unauthorised device or location, adding a hardware-level barrier to credential abuse.

The Context

API credential abuse has been a persistent but underreported vulnerability across crypto trading infrastructure. Security researchers have noted that many API-related incidents are categorised broadly as generic hacks rather than specifically as credential compromise, masking the true scale of the problem.

The 2022 3Commas incident exposed approximately 100,000 API keys linked to Binance and KuCoin accounts, demonstrating the scale of damage possible when credential management fails. Major exchanges, including Binance, Coinbase, OKX, and Kraken, already support IP whitelisting and permission management as optional features. DAXA’s new standards move toward mandatory enforcement rather than voluntary adoption.

DAXA Executive Vice Chairman Jaejin Kim framed the policy in direct terms. “DAXA and its member companies will respond swiftly to new and emerging threats and will take strong measures as needed to uphold the paramount value of user protection.”

What It Signals

Korea remains one of the most active retail crypto markets in the world. Regulatory actions from DAXA and the Financial Supervisory Service consistently set precedents that other jurisdictions observe closely. Mandatory API key governance standards, if adopted more broadly, would close one of the most practically exploitable gaps in crypto exchange security infrastructure.

Related: Samsung Units Invest $408M for 4% Stake in Dunamu