Security expert says KuCoin and Huobi epically fail softball KYC test

The crypto asset exchange ecosystem is notorious for its vague approach to Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. The reasons for this vary. On the one hand, crypto is a global phenomenon, however, every country has different regulations and many have been slow to pass new laws specific to the burgeoning crypto-asset markets. Or, where exchanges have found local regulations to be too tough, they have relocated to jurisdictions like Malta or the Cayman Islands, where they perceive the legal oversight to be less onerous.

Still, as crypto markets have matured, some large exchanges that act as fiat on-ramps have recognized the need for rigorous KYC and AML programs to appease authorities and ensure that bad actors can’t take advantage of their platforms. Some.

Others, however, appear to be going through the KYC motions and indulging in compliance theatre. Blockchain analysis firms such as CipherTrace, Chainalysis, and CipherBlade have a granular understanding of the blockchain ecosystem and it is their teams who are best equipped to understand not just crypto asset movements, but also the security practices at various exchanges.

A recent report by CipherTrace found that 56% of global crypto exchanges have weak KYC identification protocols. The report says that despite existing crypto AML regulations, many countries continue to host virtual asset service providers (VASPs) with deficient KYC. CipherTrace reports that in 2020, “56% of VASPs globally have weak or porous KYC processes, meaning money launderers can use these VASPs to deposit or withdraw their ill-gotten funds with very minimal to no KYC. The more porous VASPs that allow deposits and withdrawals up to a specified dollar amount with little to no KYC risk encountering conventional money laundering tricks, like structuring to fly under the radar.”

What is KYC?

Financial institutions use KYC processes to confirm the identity of their customers. These processes typically involve the collection and verification of a customer’s personally identifiable information. This can include government-issued ID, phone number, email address, physical address, and more. Strong KYC procedures can mitigate money laundering and prevent bad actors from registering with fake credentials, such as synthetic IDs or stolen identities. Weak KYC procedures, however, can lead to a crypto exchange becoming a destination for criminals to turn illegally acquired cryptocurrencies into fiat.

Rich Sanders, the co-founder and lead investigator at CipherBlade has taken to Twitter to demonstrate what he says are weak KYC procedures at two of the largest exchanges, KuCoin and Huobi. In two separate Twitter threads, Sanders created fake identities for Borat and Taylor Swift, and then successfully passed the first stage of KYC on the two Chinese exchanges. For dramatic effect and to further highlight the absurdity of the situation, Sanders actually dressed up as Borat and Taylor Swift and submitted photos of himself in character during the KYC process. We spoke with him about what his investigation revealed.

Brave New Coin: Why is KYC important?

Rich Sanders: KYC is just one of several aspects of a compliance program. Saying that it is ‘important’ could give a vibe that I’m a supporter of heightened KYC requirements, which is largely untrue. That said, if you’re going to have a compliance program, it is important to do it right. Virtue-signalling KYC is more destructive than not having KYC at all. For example, ICOs in the 2017 era were notorious for virtue-signaling compliance. They would simply gather whatever identity documents people sent and perform a visual inspection. Instead of spending money on Onfido (an identity platform), they would have a community manager with zero compliance experience who would look at IDs. To see that this is still happening now at large crypto exchanges is just jaw-dropping. Many in our industry criticize banks, and justifiably so, but we’re not about to replace banks when I can pull a Taylor Swift stunt like this with exchanges.

BNC: In your experience, which exchanges have solid KYC processes and which do not?

RS: The exchanges that have solid KYC processes are secure and don’t put customer information at risk and they actually run IDs. The fact that anyone, right now, can go onto KuCoin without an ID, choose any name and any ID number, and be approved for the first tier is not KYC. That’s right, no image upload, just total trust that Spongebob Squarepants from Afghanistan with ID 23232323 is legit. That’s not KYC, that’s theatre. When I’m able to dress up as Borat or Taylor Swift and still be approved for the next tier, that just goes to show that the KuCoin/Huobi staff performing visual checks aren’t competent and those services are not using a tool to run numbers, such as Onfido. I chose deliberately ridiculous costumes to prove a point. A very small amount of money or time can result in one obtaining a rather convincing identity document and the ability to onboard with alleged KYC-enforcing exchanges. I can’t do that for exchanges that actually run ID numbers – such as Coinbase and Binance, for example.

BNC: You’ve shown that KuCoin and Huobi appear to have lax KYC requirements. Why do you think this is the case?

RS: Ironically, the alleged KYC requirements for KuCoin and Huobi aren’t inherently lax (relative to other exchanges), but rather the enforcement of these requirements is nonexistent. They have these ‘requirements’ to LARP, full-stop. Now, as to why these requirements aren’t actually enforced? Exchanges like Huobi and KuCoin knowingly profit off this volume and they don’t want to make less money, so they’d rather just be dishonest about it.

BNC: If some exchanges are, as you say, LARPing and indulging in security theatre, what effect does this have on the wider crypto ecosystem?

RS: It makes us look like not just idiots, but dishonest idiots, candidly. Imagine what would happen if I went to a bank right now as Borat, there is not a snowflake’s chance in hell that’d work. Bottom line, it makes us look worse when we LARP about KYC than if we just said ‘we don’t do KYC, we’ll wait for regulations to worsen and enforcement to begin’. At least the latter, while naive and immature, would not be dishonest.

BNC: You used fake Borat and Taylor Swift identities to successfully pass the first tier of KYC on KuCoin and Huobi. For the exchanges to approve these identities, what do you think was happening on their end?

RS: What was happening on KuCoin’s end? Nothing for the first tier of verification, as that’s literally instantly approved with typing in any number. It’s not run through any database nor processed manually – go try it yourself. For the second tier, probably just some customer support person with KuCoin that’s never had a compliance role in their life being asked to visually inspect identity documents. It’s quite possible they don’t know who Borat is. It’s the same situation with Huobi. I am a bit baffled on this one – I can understand someone not realizing who Borat is if the movie isn’t popular in their country, but… a bearded blonde lady probably should raise an eyebrow. I’m just saying.

BNC: How did you create the passport documents for these identities, and how realistic are they?

RS: I used Photoshop. That’s the scary thing on this – it’s incredibly easy to do. I actually spent more time making these passports as deliberately shitty as possible, relative to the time I’d take making a believable passport. They are NOT realistic, they were designed to not pass a visual inspection and I even troll in the text for both of them.

BNC: Have you had any feedback on your Twitter threads from either of the exchanges?

RS: KuCoin denied approving these in a response Tweet the other day, which we’re just expected to believe – just like their insurance fund. Despite the fact I’ve got video of this, screenshots, etc. Save that face, y’know?

BNC: What is the key point you want to make?

RS: The point I’m trying to make is that, much like solvency, much like AML programs, much like anything else – just believing these exchanges at their word is not going to work. Exchanges like Huobi and KuCoin say things like ‘we take compliance seriously’, but nobody’s really called them out before. I’ve called them out on other issues, like AML, but these are generally dry topics for people. If it takes me dressing up as random characters to make people laugh/cringe and discuss these issues, I’ll play that 6D chess. In one sense, what Sacha Baron Cohen does with his characters, to show how people really are, I’m using the exact same strategy.”

BNC: You’re on the record as being pro-decentralization and anti-over-regulation. As the crypto ecosystem grows, it’s important that we don’t give governments a reason to over-regulate – and bad actors are not helping right?

RS: Correct. It’s more damaging for a broader AML ecosystem if exchanges that claim to require KYC don’t effectively do so. There are many examples I could cite here, but risk scoring alone would be skewed as exchanges that require KYC would be deemed less risky, these exchanges permit money launderers to operate under a veil of legitimacy, and it gives governments an excuse to crack down on the broader industry. It tips the balance in privacy versus sensible regulation backwards.

Rich Sanders was a recent guest on the Crypto Conversation podcast where he discussed these issues at length. Listen to the podcast here.