Most Crypto Exchanges Have Weak KYC, DeFi Is Making It Worse: Report

A new study from blockchainblockchain analysis firm CipherTrace found weak user verification practices across the world’s cryptocurrency sphere, underpinning concerns that cryptocrypto exchanges could remain vessels for money laundering and other crimes.

The study analyzed more than 800 centralized, or company-run, and decentralized, or automated, cryptocurrency exchanges, as well as over-the-counter trading desks and other kinds of service providers.

In the end, 56% had frail KYCKYC, or know-your-customer, practices, meaning most crypto exchanges are doing very little to force clients to prove their identities when accessing their platforms—though CipherTrace declined to name names. 

DecentralizedDecentralized cryptocurrency exchanges (DEXs), which have seen massive trading volume growth over the past year, were designed to let users exchange currencies without a third party—and therefore bypass certain regulatory obstacles. For the study, CipherTrace analyzed 21 DEXs for which it could identify a country of origin. Of those, 81% had scant ID verification processes, or none at all. In fact, Dave Jevans, the firm’s chief executive officer, said the total 56% of unsecured service providers would have been substantially lower, at least in the US, if the study had excluded DEXs.

These findings come shortly after Decrypt reported that a hacker who swiped more than $281 million in crypto from the KuCoin exchange used Uniswap, the world’s largest decentralized exchange by volume, to sell off about $7.9 million of stolen tokens. The hacker managed to move another $5 million in stolen crypto through various other DEXs.

KuCoin Hacker Is Using DeFi Exchange Uniswap to Launder Funds

The hacker who on Friday stole about $200 million from cryptocurrency exchange KuCoin is now attempting to launder the money.  The hacker's stolen loot was made up of several hundred different cryptocurrencies, including Bitcoin, Ethereum, and XRP. Around 150 of these tokens were ERC-20 tokens—tokens based on the Ethereum blockchain—such as Synthetix (SNX). But to cash out, the crook must eventually trade that all in for fiat currencies, such as dollars.  Yesterday, the hacker sold off trace amo...

Uniswap, which CipherTrace highlighted in its report but did not respond to Decrypt’s requests for comment, has seen trading spikes over the last couple months, including a three-month high of $953.59 million on Sept. 1. As a whole, decentralized financedecentralized finance (DeFi) projects, which guarantee more anonymity than their commercial counterparts, have a daily trading volume of more than $4 billion, according to CipherTrace.

“The law says that transactions cannot be anonymous,” said Juan Llanos, who founded the crypto-focused consultancy Juan Llanos Advisors. But DEXs are not considered regulated entities, so they are a “hole,” meaning a potential vehicle for money laundering. 

Aside from opening the door to fraud and other manipulations, a lack of user verification could defy international trading guidelines—an already contentious subject since the FinCEN files exposed the global banking system’s shortcomings. Specifically, the Financial Action Task Force’s global “travel rule,” which was recently updated to include crypto businesses, directs financial intermediaries to obtain and share client information before completing transfers.

FinCEN Files: Secret Documents Detail Failures of Global Banking Industry

Leaked documents detail how over $2 trillion worth of dirty money has been funnelled through the world’s biggest banks, as published by Buzzfeed. Over 2,500 documents, including over 2,000 suspicious activity reports (SARs), document how authorities were provided with evidence and failed to act. The FinCEN Files are unprecedented. In 2016, the Panama Papers documented how the world’s wealthiest avoided tax with the help of law firm Mossack Fonseca. A year later, the Paradise Papers revealed furt...

“If we can make it easy for cryptocurrency companies to comply, but still preserve the fundamental ability for people to transact with each other globally and in an anonymous fashion, then we all win,” Jevans said.

But that caveat, Llanos said, is why implementing stronger KYC practices is a “double-edged sword.” Cryptocurrency is unfailingly anonymous, but also unfailingly traceable. If its anonymity is compromised while its traceability is protected, that opens the door to privacy concerns, he said.

“It obviously has a very legitimate goal of identifying criminals,” Llanos said.

But “who’s protecting the identity that gets moved around the world?” In other words, how can the crypto industry protect clients while still complying with international guidelines? What’s stopping a provider from, say, attaching a client’s passport to an email and sending it unsecured across the globe.

To adopt stricter KYC practices, cryptocurrency exchanges would ideally require name, proof of address and even a phone or video interview to access funds, the CipherTrace report said. But right now, over half are running more like social media accounts, requiring only a name and email, sometimes a phone number, to log in.

Russia, Singapore, the US and the UK house the greatest number of exchanges and other service providers with weak KYC, according to Cipher Trace. But that’s due in part to the onslaught of experimentation, particularly DeFiDeFi projects, in those areas, Jevans said.

“Cryptocurrency companies are facing increasing regulations, and that is going to get more strict,” he said.