Thousands of users of hacked exchange Cryptopia claimed to be living on deserted tropical islands near Australia in a massive identity fail.
Liquidators from accounting firm Grant Thornton have informed a NZ court that the exchange was pretty hopeless when it came to implementing proper KYC and anti money laundering procedures.
“In our view, it raises various issues including anti-money laundering compliance,” liquidators Malcolm Moore and David Ruscoe said in an affidavit to the Christchurch High Court.
The four day hearing set for this week will help decide on the fate of the exchange’s remaining crypto, reported by media outlets to be worth up to NZ$250 million (all figures in NZ dollars).
The $250 million figure is substantially higher than reports to this date.
In preparation for the #Cryptopia directions hearing starting 11 Feb 2020 at the Christchurch High Court, we have uploaded all current affidavits and submissions related to these proceedings. These can be found here: https://t.co/4zjyqvcTOv
— Cryptopia Exchange (@Cryptopia_NZ) February 9, 2020
All you need is an internet connection
The liquidators said that most of the 933,000 active user accounts on the exchange only had a username and password attached.
NZHerald.com reported that thousandth of accounts, holding more than $3 million between them, were traced back to uninhabited tropical islands near Australia – or could not be traced to any location.
Interestingly the site had very few New Zealand users. Local users accounted for just 9475 of the total 2.2 million customers hailing from the US, Russia, Britain, India and the Netherlands among other locations.
More than 44,000 customers who’d signed up early, holding $23 million between them, were not verified at all and had no trading limits.
ID checks did get more stringent however and at least 100 clients who wanted to trade larger amounts of up to $500,000 did go through standards KYC checks along with a statement explaining the source of funds.
Cryptopia gets hacked twice
Cryptopia (which has no relationship to the new film of the same name) had to be liquidated after hackers stole $24 million in two hacks in January 2019.
Although it attempted to resume trading in march, the brand damage was too great and the liquidators were called in.
The liquidators returned about $8 million to investors and stakeholders between May and November last year.
Complicating matters, users assets were pooled into a co-mingled wallet, necessitating painstaking work to identify individual accounts.
They are still trying to work out what’s in the wallets of about a quarter of account holders. The site’s data was stored in Arizona, where the hack occurred.
Due to the poor record keeping, the liquidators anticipate traders will need to provide additional ID verification before their funds can be returned.