In brief

  • 56% of virtual asset service providers lack strong know-your-customer (KYC) practices, a new study found.
  • 81% of decentralized exchanges (DEXs) have little-to-no user verification.
  • These discrepancies could open the door to financial crime and international sanctions, says blockchain analysis firm CipherTrace.

A new study from blockchain analysis firm CipherTrace found weak user verification practices across the world’s cryptocurrency sphere, underpinning concerns that crypto exchanges could remain vessels for money laundering and other crimes.

The study analyzed more than 800 centralized, or company-run, and decentralized, or automated, cryptocurrency exchanges, as well as over-the-counter trading desks and other kinds of service providers.

In the end, 56% had frail KYC, or know-your-customer, practices, meaning most crypto exchanges are doing very little to force clients to prove their identities when accessing their platforms—though CipherTrace declined to name names. 

Decentralized cryptocurrency exchanges (DEXs), which have seen massive trading volume growth over the past year, were designed to let users exchange currencies without a third party—and therefore bypass certain regulatory obstacles. For the study, CipherTrace analyzed 21 DEXs for which it could identify a country of origin. Of those, 81% had scant ID verification processes, or none at all. In fact, Dave Jevans, the firm’s chief executive officer, said the total 56% of unsecured service providers would have been substantially lower, at least in the US, if the study had excluded DEXs.

These findings come shortly after Decrypt reported that a hacker who swiped more than $281 million in crypto from the KuCoin exchange used Uniswap, the world’s largest decentralized exchange by volume, to sell off about $7.9 million of stolen tokens. The hacker managed to move another $5 million in stolen crypto through various other DEXs.

Uniswap, which CipherTrace highlighted in its report but did not respond to Decrypt’s requests for comment, has seen trading spikes over the last couple months, including a three-month high of $953.59 million on Sept. 1. As a whole, decentralized finance (DeFi) projects, which guarantee more anonymity than their commercial counterparts, have a daily trading volume of more than $4 billion, according to CipherTrace.

“The law says that transactions cannot be anonymous,” said Juan Llanos, who founded the crypto-focused consultancy Juan Llanos Advisors. But DEXs are not considered regulated entities, so they are a “hole,” meaning a potential vehicle for money laundering. 

Aside from opening the door to fraud and other manipulations, a lack of user verification could defy international trading guidelines—an already contentious subject since the FinCEN files exposed the global banking system’s shortcomings. Specifically, the Financial Action Task Force’s global “travel rule,” which was recently updated to include crypto businesses, directs financial intermediaries to obtain and share client information before completing transfers.

“If we can make it easy for cryptocurrency companies to comply, but still preserve the fundamental ability for people to transact with each other globally and in an anonymous fashion, then we all win,” Jevans said.

But that caveat, Llanos said, is why implementing stronger KYC practices is a “double-edged sword.” Cryptocurrency is unfailingly anonymous, but also unfailingly traceable. If its anonymity is compromised while its traceability is protected, that opens the door to privacy concerns, he said.

“It obviously has a very legitimate goal of identifying criminals,” Llanos said.

But “who’s protecting the identity that gets moved around the world?” In other words, how can the crypto industry protect clients while still complying with international guidelines? What’s stopping a provider from, say, attaching a client’s passport to an email and sending it unsecured across the globe.

To adopt stricter KYC practices, cryptocurrency exchanges would ideally require name, proof of address and even a phone or video interview to access funds, the CipherTrace report said. But right now, over half are running more like social media accounts, requiring only a name and email, sometimes a phone number, to log in.

Russia, Singapore, the US and the UK house the greatest number of exchanges and other service providers with weak KYC, according to Cipher Trace. But that’s due in part to the onslaught of experimentation, particularly DeFi projects, in those areas, Jevans said.

“Cryptocurrency companies are facing increasing regulations, and that is going to get more strict,” he said.