DOJ and CFTC Bring Charges Against Crypto Exchange KuCoin for AML and KYC Failures
On March 26, 2024, the U.S. Department of Justice (“DOJ”) unsealed an indictment against prominent cryptocurrency exchange KuCoin and two of its founders, Chun Gan and Ke Tang. The DOJ charged the exchange and its founders with conspiracy and substantive charges related to Bank Secrecy Act (“BSA”) violations and operating an unlicensed money transmitter business. These charges were filed in the Southern District of New York. The U.S. Commodity Futures Trading Commission (“CFTC”) meanwhile brought its own civil enforcement action in the U.S. District Court for the Southern District of New York against KuCoin and its various corporate entities for multiple violations of the Commodity Exchange Act (“CEA”) and related CFTC regulations.
The allegations within these filings are all too common in the cryptocurrency industry, as we’ve seen with Binance and BitMEX. U.S. Attorney Damian Williams said it best in a statement: “[t]oday’s Indictment should send a clear message to other crypto exchanges: if you plan to serve U.S. customers, you must follow U.S. law, plain and simple.”
KuCoin is one of the five largest and most popular cryptocurrency exchanges in the world by a variety of metrics. Operating under various corporate entities, including Flashdot Limited (incorporated in the Cayman Islands), Peken Global Limited (incorporated in Seychelles), and PhoenixFin Private Limited (incorporated in Singapore), all of which are defendants in the DOJ action, KuCoin ranked publicly as a top five exchange in terms of traffic, liquidity, and trading volumes. Further, KuCoin was the fourth largest crypto derivatives exchange in terms of liquidity and normalized volume. Gan and Tang founded KuCoin in 2017 and the exchange has seen significant growth since that time. KuCoin allows its users to engage in cryptocurrency spot trades and to trade future contracts and other derivative products with up to 100 times leverage. KuCoin has over 30,000,000 customers in 207 countries and its daily spot trading volume exceeded $2.8 billion. KuCoin allows its users to trade more than 700 cryptocurrencies and utilize more than 50 fiat currencies.
From the beginning, prosecutors allege that KuCoin “willfully failed” to set up any semblance of an anti-money laundering (“AML”) program. The DOJ stated that “KuCoin’s no-KYC policy was integral to its growth and success.” Up until about July 2023, KuCoin required no identification information or documentation. Users merely needed an email address to register an account and start trading. While KuCoin did maintain an “optional” identification process, it did not even list the United States as an option in the country selection menu.
The company certainly knew that it had U.S. customers. KuCoin collected customer information that indicated a customer’s location, including IP addresses. KuCoin further kept login records and would alert customers to logins from regions they weren’t normally associated with – and prosecutors noted that KuCoin alerted one customer that he had logged in from “United States Bridgehampton,” yet still allowed the user full access. Gan and Tang were able to login to their own accounts while traveling in the U.S., and received those same emails noting that a login was made in the U.S.
KuCoin even advertised the fact that it did not maintain a know-your-customer (“KYC”) program. KuCoin customer support frequently posted on various social media platforms that KYC was not mandatory. In April 2022, a user tweeted at KuCoin’s customer service and noted that he was in the U.S. and his attempt at the optional verification process failed. A KuCoin representative responded by noting that “users from the USA is not supported for KYC service” and “[r]est assured that you are not obliged to do KYC on KuCoin.” This was a common message that KuCoin’s representatives freely shared on public platforms.
The indictment includes a humorous anecdote. After one user’s margin trade was liquidated, he reached out to KuCoin customer support to seek a refund. When the refund was refused, the customer declared he was a regulatory attorney and would report KuCoin’s regulatory failings to officials. KuCoin sent a response noting that the customer was from the U.S.—a prohibited jurisdiction—and that he was required to produce identification from a non-prohibited country. When the customer sent screenshots of KuCoin social media posts advertising the lack of KYC in the U.S., the exchange shut down that customer’s account. That same customer used a new email address and subsequently created a new account.
Due to the lack of controls, KuCoin was a frequent conduit for moving funds related to criminal activities. The DOJ alleges that the exchange received $5.39 billion and transmitted $4.09 billion in funds that were connected to illicit activities, including sanctions violations, darknet markets, and various criminal schemes involving ransomware, malware, and fraud. Moreover, KuCoin received nearly $3.2 million in funds from Tornado Cash, a protocol listed on the Office of Foreign Assets Control (“OFAC”) Specially Designated Nationals List (“SDN List”). Unsurprisingly, KuCoin never filed suspicious activity reports (“SARs”) with FinCEN.
It wasn’t until May 2023 that KuCoin even attempted to set up a proper AML program, and that was only after received an alert from an investor and a financial services company that a federal criminal investigation had been commenced. However, this new program did not meet basic BSA requirements. KuCoin initially updated its Terms of Service to include a clause that required users to agree that “the User . . . is not a resident of or registered in any of the Restricted Locations,” which included the U.S. KuCoin relied on this updated Terms of Service publicly, but still allowed U.S. users to access and trade on the platform.
KuCoin slowly added more ineffective controls. In July 2023, KuCoin introduced a mandatory KYC process, but only for new customers. Existing customers, even those from the U.S., were allowed to continue trading without any issues. Further, KuCoin began displaying a warning banner on its homepage if anyone accessed the homepage from the U.S. The banner stated “[b]ased on your IP address, we currently do not provide services in your country or region due to local laws, regulations, or policies.” However, users could still access the login screen, log in to their accounts, and continue trading. The banner was a mere façade and did not actually prevent any U.S. users from accessing the platform.
In the 24 hours since the indictment was unsealed, KuCoin has seen more than $800 million in funds withdrawn from its platform.