How Huobi and other exchanges work for scammers
Updated: Jun 14
Disclaimer: all opinions are of the author, who is not a lawyer or a compliance expert
Sections in this post:
-from an ex-US government regulator who prosecuted cybercriminals
The right way
In any cybercrime involving money, the straightforward approach to find the perpetrators is to just 'follow the money'. If blockchains are immutable, transparent public ledgers, in theory any stolen cryptocurrency can be traced with enough patience and some basic guidelines. Ultimately stolen cryptos will have to end up in a cryptocurrency exchange where the criminal 'cashes out' into usable fiat money. While the owners of any given cryptocurrency address is typically unknown, hence the blockchain's pseudonymous nature, these days addresses of the hot wallets of most major cryptocurrency exchanges are already public information and labeled in open blockchain explorers like bitquery explorer, etherscan.io, etc.
One can try asking the destination exchanges where stolen cryptos were traced to to freeze those assets, if still available, based on your evidence (both cryptocurrency tracing and others) showing how those were illicitly obtained. Exchanges would almost always ask that (you have) law enforcement contact them, if you haven't done so already. Ordinarily, law enforcement officers would obtain a warrant or subpoena on the financial platform used by the fraudsters, for the platform to freeze the assets and turn over suspect account holder information, or KYC (Know-Your-Customer) in banking jargon. Sometimes just law enforcement request is enough for the exchanges to comply. Alternatively, one can obtain a court order, with help of a lawyer in a civil fraud case, to the same effect. When financial institutions cooperate either way, the identification and prosecution of the criminals can then take place.
What Actually Happens
Unfortunately, one has a better chance of seeing pigs fly than investigations of cryptocurrency scams going smoothly as above, especially for pig butchering scams. Many factors butcher all hope for recovery, from the particulars of the scam and the victim, from law enforcement and from the exchanges. Briefly on the law enforcement side, they are always understaffed, undertrained, unequipped or plain clueless and dismissive about cryptocurrency. Additionally for pig-butchering scams, it was initially very hard for victims to explain to police departments how what happened to them is a crime and not simply a failed investment with an irresponsible friend. Many victims never got assigned detectives. Ultimately, law enforcement action always comes too late.
Police attitudes are changing now as awareness of this kind of crime grows. Adequacy of law enforcement resources and training is a domestic issue, so this post will be about how cryptocurrency exchanges, particularly the Chinese-founded ones, Binance, Huobi, OKex, and KuCoin, are effectively enabling and protecting the pig-butchering scam industry.
Binance is by far the biggest exchange in the world by trading volume, 12 to 18 billion dollars a day, while Huobi, OKex and KuCoin are frequently within the top ten in the world, as high as 3rd sometimes for Huobi. Binance and Huobi are among the most common exchanges victims of pig butchering scams find their assets ending up in last before exiting the blockchain. Much have been written already about the sheer amount of money laundering facilitated by Binance and the attitude of its founder Changpeng Zhao (see these 2 hyperlinked special reports by Reuters). To which we will add the below.
Reportedly as late as 2021 Binance permitted opening accounts and making large withdrawals with only an email address as identification (KYC is NOT a new requirement in 2021, nor a nice-to-have). However, lately Binance has been much better with KYC and in cooperating with law enforcement, though there are still other issues GASO wants to raise. Binance only freezes an account for 7 days upon being informed by victims of cybercrime, which is simply not enough time for police to open an investigation, study a case and formally contact Binance, especially if they decide to go through a district attorney and a court subpeona. And even with direct law enforcement involvement and successful freezing of crypto assets, Binance seemingly drags its feet in returning assets to victims. We have heard more than once that Binance negotiates or facilitates negotiations with the suspects, contrary to criminal subpoenas where notification of suspects is not allowed. It is hard to show that this happens because outside of public court spectacles that almost no victims can afford, recoveries from Binance are rare and victims are made to agree to confidentiality agreements.
Much of Huobi's AML failures and near-complicity have been covered in a must-read post by CipherBlade, to which we want to add our experiences. Upon getting contacted by victims of, say, pig butchering scams, Huobi specifically asks for screenshots showing how one was defrauded, in addition to cryptocurrency tracing work showing that scammers used Huobi. Explaining the scam to Huobi staff shouldn't be hard, since Huobi itself had detailed the 'pig butchering scam' in its own website in both English and Chinese since at least late 2020.
Pig Butchering Scam detailed on Huobi website
What if law enforcement does follow through?
Huobi, OKex and other offshore exchanges will challenge, delay, or ignore lawful requests and court orders anyway. They could: ask for more credentials of the requesting police officers, even which university they graduated from; respond to a US subpoena that it has to come from the exchange's local court (a Seychelles court); say that a prosecutor subpoena has to be a court warrant; or simply ignore (acknowledging even upon follow up that they did not respond). Of course we do not want anyone just claiming to be a police officer and emailing the exchanges demanding to freeze accounts. But it is as if the job of the said exchanges' lawyers is to find legal grounds for not complying. (Which university did they come from?) In contrast, Binance has been cooperative recently with law enforcement, at least in giving KYC... a good boy in comparison.
Which papers to push
There is at least one way that worked to make these exchanges comply. Huobi, OKex and KuCoin are nominally incorporated offshore in the Republic of Seychelles (do you know where it is?) and so they claim to be governed by its laws. According to one victim's experience, shared by crypto-helpline.com, it seems that Huobi and OKex, but not KuCoin, are cooperative with the Seychelles Financial Intelligence Unit (FIU), the country's anti-money laundering body. However, these are the hoops to jump through: the investigating police officer has to ask, through proper channels and a few government layers, their country's FIU (FinCEN in the USA), which will then make a formal request to the Seychelles FIU, which then contacts the Seychellois-incorporated exchanges. Apparently Huobi and OKex are pliant with Seychelles FIU so far, but KuCoin still do not respond and so has just been struck off the Seychellois registries. The entire inter-agency, cross-country coordination needlessly takes many months, and this is an approach that does not scale! Imagine the tens of thousands of victims and the small Seychellois FIU office. For some basic, time-sensitive actions, Huobi will give instructions to victims that they may not honor anyway on a whim, and OKex tells law enforcers to first dance through the Mutual Legal Assistance Treaty between their country and Seychelles (in summary: local police --> national police --> justice ministry --> foreign ministry --> embassy --> Seychelles foreign ministry, and so forth in reverse). Stolen crypto assets usually in USDT must have been already "cashed out" and consumed long ago at speeds of ~12 transactions per second.
Justice delayed is justice denied.
What if the exchanges complied? Hopefully the KYC / customer records they keep are trustworthy. Being able to register to Huobi and KuCoin as Taylor Swift with a beard does not inspire confidence.
Rich Sanders of CipherBlade dressed up as Taylor Swift for his KYC verification photo. Source: https://bravenewcoin.com/insights/kucoin-huobi-kyc
For KuCoin, which does not have direct crypto-fiat conversions with banks, its selling point is that it does not do full KYC verification for withdrawals below 5 BTC (~$150,000 USD in June 2022) a rather very, very high threshold.
Cryptocurrency exchanges are typically licensed as money transmitters / money service businesses (MSB). Under any decent financial regulatory regime, all MSBs must implement KYC and report to their country's FIU all transactions over roughly $10,000 USD in value, including cryptocurrency (see relevant FATF guidance on cryptocurrency, back from 2019). How could these exchanges, file those mandatory reports with incomplete KYC? Easy answer: they probably don't.
In the US, missing such reports and other anti-money laundering controls have led an MSB Western Union to settle with US regulators for $586 million, which went to a victims' fund for victims of wire frauds through Western Union. A closer precedent, US exchange BitMEX and supporting companies were fined $100 million for lacking anti-money laundering controls, with 3 BitMEX founders each personally fined $10 million in addition.
Public service announcement takebacks
Note that official communication with the Chinese-founded offshore exchanges can only take place by email, and they do not publicly list any physical address. According to Huobi's and OKex's legal statements as of June 2022, they are operating under the laws of the Republic of Seychelles, despite that Huobi allegedly only has a PO box in the Seychelles while most of their staff are in Singapore. GASO knows for a fact that Huobi support staff telling victims to go to Seychellois authorities are sitting in Singapore. Curiously, the Seychelles Financial Services Authority (FSA) in March 2021 PSA denied ever licensing Huobi -- though it appeared to take its warning back a day later. In an email inquiry months later, Seychelles FSA reiterated that they still do not license or regulate Huobi. Further inquiry to Seychelles FSA why it appeared to have taken down their public warning against Huobi went unanswered. It may not matter much longer anyway, since Huobi is moving to Gibraltar. Or Dubai.
Seychelles FSA denying that it licenses or regulates Huobi.
Conclusion: Huobi and likely OKex are operating unlicensed, unregistered and at least alegal MSBs out of Seychellois and Singaporean territories (Hong Kong probably for KuCoin).
Why? Why? Why? GASO's Take
While due process for the suspect account holder is important, and insisting upon due process is any business' right, the legal roadblocks these offshore exchanges put up are, quite frankly, purely unnecessary. There's nothing in the laws of the countries they're incorporated in that legally prevents them from cooperating with foreign law enforcement, unlike a few countries. It would be also laughable if they're afraid of getting sued by their current customers, given how they've structured themselves to be practically unaccountable. More likely, they are afraid of driving business away, including illicit business. Being private businesses and as stated in their own user terms, they "reserve the right..." to do anything they want with the accounts and assets they hold. Not dealing fairly with with aggrieved third parties is a purely business decision. If they are truly regulated (or just have conscience), they have an affirmative responsibility to root out illicit activity on their platform and aid law enforcement.
Complying with growing financial regulations is, to be sure, very expensive. Compliance is not a money-making department and is productive insofar as to prevent even more money from getting lost to regulatory fines. It might be cheaper then to just move to jurisdictions that do not have as stringent regulations on cryptocurrency... and to keep moving, to stay ahead of lawsuits and regulators. How else can they afford dirt-cheap trading fees? It is regulatory arbitrage to the extreme --'jurisdictional gymnastics'. The exchanges mentioned above mostly physically operate in Singapore but do not serve Singaporeans, only those outside the city-state. To profit from customers in countries that restrict them, these "global" exchanges try creating a local subsidiary (e.g., Huobi Singapore) that is a separate legal entity tailor-made to be compliant with local requirements, so as not to affect their shoddy-but-profitable business elsewhere, and still benefit from accessing that regulated market. Think of the leaked 'Tai Chi' document of Binance US that details corporate plans to make a shell company to shield the parent Binance company from regulatory obligations.
Injustice anywhere is a threat to justice everywhere
So is it ok for exchanges to operate in a country safely without being licensed, so long as they do not serve the residents there? This is akin to the semi-legal online scams companies in Southeast Asia that do not target residents of the host country. TENS of BILLIONS of dollars have been lost already to pig-butchering scams, and GASO sees pig butchering scammers earning at least $40 - $50 million in cryptocurrency every month. To paraphrase Martin Luther King, Jr., money laundering anywhere undermines anti-money laundering everywhere.
Perhaps another reason for these exchanges' refusal to register is to shield the parent company from scrutiny. As part of the process of getting licensed, MSBs have to open all their books and be prepared to be asked all the names of the principals of their organizations, including potentially all their backers and financiers. We suspect that the Chinese exchanges would not want governments or the public to know of their Chinese patrons and how those patrons are parking their assets there. Furthermore, there are rumors in the Chinese underworld that Southeast Asian scam company conglomerates and owners are directly doing business / are co-investors with the exchanges and Tokenlon. This is still speculation that needs more work to research and investigate. As for manipulating their books, there are already some insiders squealing about it:
An anonymous complaint in Glassdoor about Huobi (Singapore)
If there's a will, there's always a way
Is the world powerless against the everywhere-but-nowhere exchanges-cum-money launderers? Against individual entities, probably not forever. The SUEX Exchange, which laundered cryptocurrency for Eastern European cybercriminals, was sanctioned by the US government, meaning all businesses that does business with the US are prohibited from doing business with SUEX and connected persons and entities. The founders of Crypto Capital Corp, connected to money laundering for Colombian drug cartels and shady cryptocurrency exchanges, have been arrested by US and European authorities. The AML Act of 2020 gave powerful subpoena abilities to US law enforcement against foreign banks. When used and signed by a judge, a foreign bank has to comply without notifying the suspect account holder, or else it gets sanctioned and basically cut off from the US financial system.
Is there an artful way to make the obstructionist exchanges comply through their banks? Why not expand AMLA to say financial institutions, including MSBs and cryptocurrency exchanges? Could sanctions be extended to non-financial aspects, like de-platforming from app stores (Google Play, Apple Store), banning from accepting their advertising business, server hosting, etc. ? (Note: not banning information about them) Arguably this should be done also for the MetaTrader 4 & 5 apps, whose willful negligence on scammers using the MetaTrader platform GASO has previously covered. The US dollar still being the world's reserve currency has its perks; theoretically the US Treasury has jurisdiction over anything that uses the US dollar, and transnational scammers need US dollars like anyone else. Where are these billions-worth Chinese exchanges going to turn to --to crypto-banning China?
These are just ideas, and sanctions are very leaky, anyway. The point is that there are plenty of precedents and tools for going after foreign criminal enterprises, for US authorities. Unfortunately it just takes a lot of resources, political will and perhaps public pressure. People all over the world are losing billions of dollars of their life savings to cybercrimes and investment scams, particularly to pig-butchering scams facilitated by these exiled Chinese crypto exchanges. This post has by no means established anyone's guilt, just that there is a 'there' there.
For all comments, concerns, corrections, tips and experiences of those exchanges you'd like to share, we'd like to hear them at firstname.lastname@example.org. Help us also do more digging, or at least buy us boba. For helpful tips leading to successful regulatory enforcement action, the US government has millions of dollars in whistleblower bounty for you, including for AML violations. Feel free to share with us ;)