Security expert demonstrated how KuCoin and Huobi unexpectedly failed the KYC test
CipherBlade founder Rich Sanders tested KYC procedures on Kucoin and Huobi mega-exchanges. His research has shown that these processes on exchanges are more of a formality than a real effort to stop scammers.
“Know your client” or one-man theater
The crypto asset exchange ecosystem is notorious for its vague approach to know-your-customer (KYC) compliance and anti-money laundering (AML). The reasons for this are different. On the one hand, cryptocurrency is a global phenomenon but each country has different regulation for the segment, and many are in no hurry to adopt new laws specific to the growing crypto markets. Or, if the exchanges found the local rules too strict, they moved to jurisdictions such as Malta or the Cayman Islands, where they find legal oversight less burdensome.
However, as cryptocurrency markets have developed, some major exchanges that operate as fiat platforms have recognized the need for strict KYC and AML programs to appease authorities and ensure that attackers cannot take advantage of their platforms.
Others, however, seem to use the KYC procedure simply as a formality. Blockchain analysis firms such as CipherTrace, Chainalysis and CipherBlade have a detailed understanding of the blockchain ecosystem, and it is their teams that are best equipped to understand not only the movement of cryptocurrencies, but also the security practices on various exchanges.
A recent CipherTrace report found that 56% of global crypto exchanges have weak identification protocols. The report says that despite existing crypto-AML regulations, many countries continue to accept virtual asset service providers (VASPs) with insufficient KYC. CipherTrace reports that in 2020, 56% of VASPs worldwide have weak or porous KYC processes, meaning that money laundering individuals can use these VASPs to deposit or withdraw their illegally obtained funds with or without minimal KYC.
More transparent VASPs which allow deposits and withdrawals with minimal or zero KYC, run the risk of encountering traditional money laundering tricks such as structuring.
High level of security
Rich Sanders, the co-founder and lead researcher of CipherBlade, demonstrated on his Twitter the weak KYC procedures on the two largest exchanges-KuCoin and Huobi. On the two separate Twitter branches, Sanders created fake identities and then successfully passed the first stage of KYC on two Chinese exchanges. For dramatic effect and to emphasize the absurdity of the situation, Sanders actually dressed up as Borat and Taylor Swift,
and submitted photos of himself in the image during the KYC process.
And he successfully went through the procedure in both cases.
Rich Sanders commented on all this as follows:
“KYC is just one of several aspects of the compliance program. Saying this is important may give the impression that I am a proponent of increased KYC requirements, which is largely incorrect. However, if you are going to develop a compliance program, it is important to do it correctly.
Signaling the virtue of KYC is more destructive than not having it at all. For example, ICO in the 2017 era were notorious for enforcing the rules of virtue. They simply collected all the identity documents sent by people and performed a visual inspection. Instead of spending money on Onfido (an identity platform), they had a community manager with zero compliance experience who looked at IDs.
As you can see, this is still happening now on major exchanges. Just amazing. Many in our industry criticize banks, and rightly so. How are we going to replace the banks if I can do this trick?
I’m trying to emphasize that, both in AML programs and in everything else – just taking these exchanges at their word won’t work. Exchanges such as Huobi and KuCoin say something like “we take compliance seriously”, but in reality this is far from the case”.