The US government recently arrested and charged Bitzlato, along with its' founder, with money laundering related crimes. We have no additional information regarding the allegations themselves. But the document is filled with an incredible range of quotes – presumably from surveillance – that make the Shenzhen-based crypto exchange look awfully bad.
Given the details of the evidence presented in the charging documents, Bitzlato executives and employees all did a lot of stuff they'll struggle to defend. Here, we are going to set aside the question of whether the US government should go after money laundering crimes all over the world.
It is empirically true that US prosecutors view these actions as within their remit. And the actions themselves are wild. Doubly so as nearly everyone involved makes clear, repeatedly and in writing, that they knew what they were doing was wrong.
The interesting questions are "how did we get here?" and "what does this signal about the future?"
Lessons From "The Wire" and the Ford Pinto
In a famous scene in the US television show "The Wire," Idris Elba's character Stringer Bell (a sort of senior gang leader) admonishes an underlying for "taking notes on a criminal conspiracy." If you are trying to more efficiently distribute drugs in Baltimore, maybe you should not write down the plan lest the police find it. (We are not suggesting anyone enter that business – but it's the plot of the highly regarded series so there you go.)
And it's not just television. In 1973 the Ford Motor Company had a problem with a car called the Pinto. The fuel tank for this model was installed behind the rear axle and Pintos were exploding when hit from behind. A substantial number of people were badly burned and died.
What made the Pinto case famous and historically significant is that Ford wrote a memo in which they compared the cost to redesign the car against the expected settlements from people dying in accidents. The memo itself is troubling to read. And when it came out during legal proceedings it was a major scandal that led to myriad changes.
What matters for our purposes here is that this incident is also the origin of corporate admonitions to not put bad things in writing. Gang leaders and companies with possible embarrassing secrets have at least this concern in common.
Bitzlao Didn't Get the Pinto Memo
This is not a good look:
It is clearly a problem if your platform processes an awful lot of payments for illegal stuff. And this is also not the right solution:
Similarly it is a problem when your KYC process accepts female documents from someone you know is male. And who specifically tells you the docs belong to someone else:
We are not advocating for a heavy reliance on box-ticking exercises or introducing a bunch of security theater (painful measures that are unlikely to actually help). But rejecting clients who straight-up tell you they are lying is a reasonable place to start when designing an onboarding process.
In the same vein, it's a terrible idea to publicly proclaim that you do not deal with US users but then tell users, via standard support channels, that US stuff is just fine:
Note that discussion does not involve a VPN, or any sort of complex effort to obfuscate whether someone is in the US. They were asked if it was possible to use US bank cards. If the answer was "we do not support US users but cannot control all payment networks" then we can have a conversation about whether their efforts to block US users were adequate. But when you answer "yes, of course" the conversation is shorter.
There are a lot more ridiculous quotes in the document and they are worth reading even if only to stare in amazement that some of those comments emerged from Bitzlato's support team.
Where Do We Go?
Given that Bitzlato did not make a serious effort to block US users and, in their own words, took US domestic payments, the US government's claims of jurisdiction will likely hold up. We do not need to debate if this sort of ineffective IP address blocking is sufficient to avoid jurisdiction:
As Bitzlato already stated clearly to their own users, US domestic payments were fine.
It is also unlikely the charging documents contain all of the evidence. While the information we already have is pretty bad there is a good chance there is a mountain more behind it. The easy jurisdiction argument and ridiculously incriminating evidence makes this a good starter international crypto-money-laundering enforcement case from the prosecutor's perspective.
From there it remains to be seen. But the pattern, time and again, is that prosecutors work their way up from the smaller players to the larger ones. In this case significant international cooperation was required. Per French reports, five more people were arrested in Spain, Portugal and Cyprus in related actions.
And both the US and French reporting hails this as a major cooperative international effort involving a long list of agencies around the world. It seems unlikely they are going to stop here.