
DAXA mandates risk-based responses and IP whitelisting for Upbit, Bithumb, others after FSS probes spoofing on 30% of turnover. Forced key expiration possible.
South Korea's Digital Asset Exchange Alliance (DAXA) announced a new compliance standard on May 28 that forces member exchanges to block improper API key sharing. The policy targets the misuse of API credentials for market manipulation. Regulators say automated trading now accounts for roughly 30% of domestic crypto turnover.
The Financial Supervisory Service (FSS) found that some traders used API keys to repeatedly submit and cancel large buy orders. This created false demand signals. Traders then sold into the price rise. The FSS has not disclosed how many accounts are under investigation. The scale of automated trading – roughly 30% of domestic turnover – makes the risk material.
DAXA's framework does not impose a blanket ban on API keys. Instead, it requires exchanges to escalate responses based on risk level:
Jaejin Kim, Executive Vice Chairman of DAXA, addressed the urgency directly. “DAXA and its member companies will respond swiftly to new and emerging threats, and will take strong measures as needed to uphold the paramount value of user protection,” Kim said.
The standard applies to all five DAXA member exchanges: Upbit, Bithumb, Coinone, Korbit, and Gopax. These platforms must now roll out IP whitelisting systems. These restrict API access to pre-approved IP addresses registered by the account holder. Exchanges like Binance, Coinbase, OKX, and Kraken already support IP whitelisting voluntarily. DAXA's framework moves toward mandatory enforcement in specific scenarios. When a trader's API key has been flagged for sharing, whitelisting becomes required.
Traders who have lent or shared API keys with third parties face a concrete timeline for compliance. If an exchange detects that a key is being used from multiple IPs or by multiple accounts, it can force re-authentication. Non-compliance leads to key expiration. The exact detection methodology has not been disclosed. This introduces execution risk: traders may not know they are flagged until a warning arrives.
The FSS investigation is not limited to DAXA's new standard. Regulators are actively looking at accounts that used API keys to spoof order books. The technique – placing large orders and cancelling them before execution – is a classic market manipulation tactic. In a market where 30% of turnover is automated, the potential for abuse is high.
This crackdown follows a broader history of API credential misuse. In 2022, platform 3Commas was linked to a large-scale exposure of about 100,000 API keys tied to Binance and KuCoin accounts. Former Binance CEO Changpeng Zhao publicly cautioned users. He warned that API credentials represented "a serious risk for automated trading systems."
Security researchers have long warned that API credential abuse remains one of the least-discussed risks in crypto trading infrastructure. Crypto infrastructure firm Sodot noted that many such incidents get broadly labeled as generic hacks rather than properly classified as credential compromises.
DAXA has not disclosed how it will detect improper API key sharing. That gap creates uncertainty. If the detection relies on simple heuristics – such as multiple IPs per key – traders using legitimate multi-device setups could be caught in the net. If the detection is more sophisticated, the rules may be more effective. Enforcement consistency across five exchanges will determine the real impact.
The five DAXA member exchanges vary in size and technical capability. Upbit and Bithumb dominate domestic volume. Coinone, Korbit, and Gopax are smaller. Enforcement consistency will determine whether the rules actually reduce manipulation or simply push activity to less regulated platforms. The FSS has not indicated whether it will audit compliance.
Traders using API keys on Upbit or Bithumb should review their IP whitelisting settings now. The first forced key expiration could come without much warning. For the broader market, the move signals that South Korea is treating API key governance as a regulatory priority – not just a security recommendation.
For more on the evolving regulatory landscape in South Korea, see Korea's Banks and Fintechs Race for Crypto Infrastructure. For a broader view of automated trading risks, see our crypto market analysis.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.