Bitcoin Fork Privacy and the KYC / AML Threat— A Documented Case Study

HitBTC froze a BTC withdrawal from selling Bitcoin fork coins and forced a user to reveal identity over a 27 day recovery process

At forkdrop.io we believe that privacy and fungibility are a core property of Bitcoin and an ingredient for open economies and the free market. On our site, we not only track Bitcoin forks but also exchanges where they can be traded; providing information about the KYC “Know Your Customer” requirements to help people transact their fork value without giving up their rights to privacy within the law.

It has been noted by many that Bitcoin forks represent a threat to privacy of holders by creating incentives to trade in their fork coin value in a setting that is less private than when the BTC was originally obtained. This is a danger we take seriously at forkdrop.io and we provide guides for helping users safely navigate the task of claiming their fork value.

Some exchanges allow you to set up an account and transact without going through KYC/AML “Anti-Money Laundering” verification, often for small amounts of value. Our focus in this article is on exchanges who have configured their KYC / AML process to trigger once they are holding an individuals value, where access to this value is frozen until a number of steps (as we detail below) must be completed. Steps which we believe that not all individuals may be able to do either by a lack of knowledge or the required information simply not existing.

This is a financial hazard to law-abiding innocent people that are unable to meet the high burden of proof. Furthermore, this can be a real danger to innocent people by giving up their private personal and financial information to companies often based in other countries and who may be subject to leaking that information to bad actors, or even turn out to be bad actors themselves.

We hope the detailed account below of an actual event can help prepare individuals when dealing with exchanges and prevent situations of stress or worse, loss of value, as well as raise a light to this kind of activity which we feel is unprofessional at best, irreversibly damaging and unethical at worst.

An Individuals 27-Day journey through KYC / AML

Anecdotes of poor customer experiences with HitBTC are documented extensively elsewhere and can be easily found by searching online. This is a full (but redacted to protect privacy) transcript of the support ticket interaction between an individual customer and a representative of HitBTC that we have obtained. The BTC was recovered by the individual, but we believe it is in the public interest to publish it here to give future individuals accurate information and a warning.

This individual’s value was obtained from moving forked coins which came from old UTXO value the individual held for several years and was credited with the forked coins at the creation of the fork projects.

It is an important context that prior to depositing the value which was later frozen, the individual had already deposited coins, sold them and withdrew the BTC — all without providing any identification. The HitBTC account was created with a random-sounding Protonmail email account and accessed exclusively through Tor. No real name was associated with this account or email for this round of transactions. The value of these initial transactions was less than $10,000 USD, which is a threshold for KYC/AML in many jurisdictions.

Day 0

After the successful first round of transactions, the individual deposited a number of fork coins that was in excess of $10,000 USD in value. The coins were sold on the exchange and a withdrawal request for the resulting BTC was submitted at approximately 5 pm UTC. Upon clicking the withdrawal confirmation link that arrived via email, the user received an error message of the wording “Currency operations not available”. One day later another withdrawal was attempted with the same result.

Day 1

At approximately 5 pm UTC a support ticket was filed by the individual titled “currency operations not available” which read:

I am getting this error when trying to withdraw BTC. I would like to get my BTC please.

Day 2

At approximately 3:30pm UTC a reply was received with an attached image:

Dear trader, thank you for reaching out to us. According to AML/KYC rules, which HitBTC exchange is subject to, our security department is monitoring all activities on our platform. Our goal is to stay secure and reliable, safety of every transaction being ensured. Pursuant to internal policy on customer identification process, we kindly ask you to provide us with the following: - A clear closeup photo of your document (national ID or driver’s licence), being held in your hand. Scanned images are not accepted;

- A photo of yourself settled near your monitor with this ticket viewed on screen. You should be easily identified on the photo, and this exact text with the following picture should be clearly seen. Regards,

HitBTC Team

On Day 2 at 4:20 pm UTC the reply was sent by the individual with four clear photographs:

A clear close-up photograph of the individual’s driver’s license. A wider photograph of the individual holding their driver’s license where their face is recognizable. A wide photograph of the individual sitting next to a laptop screen with the text of the previous email displayed. A wide photograph of the individual sitting next to a laptop screen with the image with the embedded bold text displayed.

The body of the email read:

Hello <HitBTC support person’s first name>, Attached to this email are four photographs which I believe meet your requested compliance requirements. Please let me know if there is anything more I must provide and I will get it to you promptly. Thank you. Regards, <individual’s real name>

Day 4

At approximately 3:30 pm UTC A reply from HitBTC was received:

Thank you for provided information. In accordance with the requirements of current anti-money laundering; proceeds of crime and counter terrorism financing legislation, we are required to establish and record evidence of the identity and source of funds for our clients. Therefore we kindly ask you to provide us with the origin of the following transactions:

Amount Currency Hash

<amount> <fork1> <fork1 tx hash>

<amount> <fork1> <fork1 tx hash>

<amount> <fork2> <fork2 tx hash>

<amount> <fork3> <fork3 tx hash>

<amount> <fork1> <fork1 tx hash> For your convenience, the origin of funds report may be presented in a free form as a chain of events in chronological order, every step validated with blockchain explorer data, screenshots, and data used on other crypto infrastructure services, so that we would be able to contact them for verification, if needed. In addition, kindly update us with the data regarding your social networks presence, i.e. the links to your profile in major social networks. In order to speed up the ongoing identification process, we also kindly ask you to sign in to your HitBTC account with any network data disguising tools (VPN, proxy) deactivated. Regards,

HitBTC Team

Note that this request includes information on the deposits of forked coins that were previously deposited and sold and BTC withdrawn on Day 0 before the later deposit for higher value was made (and were presently trapped on HitBTC).

On Day 4 at approximately 7pm UTC the individual sent the response. It included five attached images. Four were block explorer screenshots illustrating the origin of the forked coins. The fifth was a screenshot of the login attempt to HitBTC that showed that the individual’s account was disabled which was blocking the login attempt.

The body of the email read:

Good day, I have attempted to log into my HitBTC account from outside my VPN minutes before sending this email. However, it rejected my login saying that my account has been disabled (as per the attached <image>). I assume the login attempt was logged on your servers as originating from my non-VPN public IP (<ip address>), which you can verify. My LinkedIn profile is <linkedin profile>

I do not have a Facebook account

My youtube channel is <youtube channel>

My Twitter account is <twitter profile>

My Github profile is <github profile>

My wordpress blog is <blog link> Attached are four additional screenshots that illustrate the origin of the coins deposited to HitBTC. The <fork1> and <fork2> coins were credited to my addresses at the forking of these two coins. In <image 1>, it shows the source address (<addr1>) for: <txid>

and

<txid> had been holding BTC on these two inputs since well before the <fork 1> fork point (<fork 1 fork date>). The deposited <fork 1> coins were created and credited to those addresses upon the creation of the <fork 1> fork. The other three screenshots, <image 2>, <image 3>, and <image 4> show the same for <address 2> (<fork 2> representation of the same address is <address 2>) which is the source address of the transactions: <txid>

<txid>

and

<txid> This address was holding BTC since before the fork point of <fork 1> (<fork 1 fork date>) and the fork point of <fork 2> (<fork 2 fork date>). The deposited coins were created and credited to this address upon the creation of these forks. For <fork 3>, the <image 2) screenshot shows the coins being airdropped on that address upon the creation of the new <fork 3> chain (Bitcoin UTXO set snapshotted on <fork 3 date>, <fork 3> launched on <fork 3>). <technical explanation of the airdrop of fork 3> Please let me know if there is anything further you require. Regards, <individual’s real name>

Day 6

At approximately 2pm UTC A response from HitBTC was received:

Thank you for provided information. Please take our apologies for the delay. Verification might take some time depending on the queue. Could you provide us more specific information about the source of funds. We kindly ask you to provide us with full display screenshots of your withdrawal history including account details, so we able to see from where the mentioned funds came to HitBTC. Regards,

HitBTC Team

On Day 6 at approximately 9pm UTC, the individual replied:

Good day, As previously cited, the coins deposited on HitBTC came from the chain split/

airdrop upon the creation of the network for the coins which were deposited. The BTC I held which resulted in the creation of these coins were purchased in 2014/2015 from exchanges that are no longer operating (<defunct exchange 1>, <defunct exchange 2>) from employment income I earned as a <job title> at <company>. This BTC sitting in place since <date> was documented in the previous screenshots I submitted. I have attached screenshots that attest to these purchases, however I unfortunately do not have email records that cite the bitcoin addresses of withdrawal, though some can be reconstructed based on the BTC amount in the lineage that funds the addresses in question. e.g. with the <amount> BTC purchase in the email, it was withdrawn to me in this transaction: <txid> To address: <address> Subsequently, this transaction: <txid> moved coins to address <address> which was an address cited earlier for holding held BTC and was subsequently source of the forked coins deposited on HitBTC into my account. The same is true for the transaction: <txid> Which moves the <amount> BTC amount referenced in the email to: <address> and subsequently to <address> in the same transaction. The date of the origination of these transactions also matches the date in the email. Please let me know if you require any further specific details as to the source of these funds. Regards, <individual’s real name>

Day 7

At approximately 5pm UTC the HitBTC support person replied:

Thank you for provided information. In accordance with the requirements of current anti-money laundering; proceeds of crime and counter terrorism financing legislation, we are required to establish and record evidence of the identity and source of funds for our clients. Therefore we kindly ask you to provide us with the origin of the following transactions:

Amount Currency Hash

<amount> <obscure coin> <obscure coin TXID>

<amount> <obscure coin> <obscure coin TXID>

<amount> <obscure coin> <obscure coin TXID>

<amount> <obscure coin> <obscure coin TXID> For your convenience, the origin of funds report may be presented in a free form as a chain of events in chronological order, every step validated with blockchain explorer data, screenshots, and data used on other crypto infrastructure services, so that we would be able to contact them for verification, if needed. In addition, kindly update us with the data regarding your social networks presence, i.e. the links to your profile in major social networks. In order to speed up the ongoing identification process, we also kindly ask you to sign in to your HitBTC account with any network data disguising tools (VPN, proxy) deactivated. Regards,

HitBTC Team

Four minutes after this email was received a second email arrived from the HitBTC support person that read:

Thank you for reaching out. Please take our apologies for the delay. Verification might take some time depending on the queue. Pay no attention to the previous emal, it was have been sent to you by mistake. The information you have provided is currently being processed. Since this is an issue with security, it will take some time to verify the information that you have provided. Rest assured that once the process has been finished you will be contacted to let you know that your account has been unblocked or if further information is required. Thank you for your patience. Best Regards,

HitBTC Team

At approximately 6pm UTC, the individual replied:

Thank you for the clarification that the previous email was in error. I await a response from my previous submission. Please let me know if there are any further steps you require from me. Regards, <individual’s real name>

Day 11

At approximately 5:30pm UTC the HitBTC support person replied:

Thank you for provided information. Please accept our apologies for such a long delay with replying. We kindly ask you to provide us with document which confirm the receipt mentioned funds from employment income you earned as a <job title> at <company> Regards,

HitBTC Team

At approximately 9pm UTC, the individual replied with a pdf file attached.

Good day, Attached is my <form name> from 2014 which records my employment income from <company> during the tax year of 2014. Please let me know if there is any further information you require. Regards, <individual’s real name>

Day 12

At approximately 1:30 pm UTC the HitBTC support person replied:

Hi <individual’s first name>! Thank you for your response and the document provided.

Getting back to our previous conversation regarding the BTC that you have purchased on the exchanges which are no longer operating, we will need to have some proof that this amount on BTC originally came from the exchanges. As you have purchased the BTC there, there should be some deposit transactions made from your bank card during that period of time.

Is there any chance you could provide us with the bank statement showing these transactions? We are looking forward to your response.

At approximately 5pm UTC, the individual replied with two .pdfs attached.

Good day, Attached are two bank statements from <month> and <month> 2014, which show transfers into <payment processing company>, which was the banking processor for <defunct exchange> at the time. Regards, <individual’s real name>

Day 13

At approximately 2pm UTC, the HitBTC support person replied:

Hi <individual’s first name>!

Thank you very much for the files sent. We have reviewed them.

Could you please also send us the screenshots of your <obscure coin> tokens deposits transactions before bringing them to HitBTC?

This would help a lot. Awaiting your reply.

At approximately 5pm UTC, the individual replied:

Hello <HitBTC support person’s first name>, I have never deposited <obscure coin> tokens on HitBTC. I believe this request to be an error. <obscure token> transactions are not associated with my activity on HitBTC. You previously asked for the source of these transactions in an email in this thread on <Day 7>. However in a follow-up email sent four minutes after the request, you instructed me to: “Pay no attention to the previous emal, it was have been sent to you by mistake.” I await a response from my previous submissions. Regards, <individual’s real name>

Day 14

At approximately 4:30 pm UTC the HitBTC person replied:

I apologize for this mistake. Please disregard our last request.

We would kindly ask you to log in to your account with the VPN switched off. This would help us to finalize the process as soon as possible.

Waiting for your response.

At approximately 8pm UTC, the individual replied:

Good day, I have logged into the account outside my VPN as requested and filled in a message into the form for contacting support after having my account disabled. I have received the email for that ticket which was numbered <HitBTC ticket number> from the HitBTC contact <other HitBTC support person>. Regards, <individual’s real name>

Day 18

At approximately 2pm UTC the HitBTC support person replied:

Thank you for reaching back to us. We clearly understand the uncertainty you’ve been through, and we would like to remind you that AML/KYC policies are commonly used among all reliable financial institutions. The goal of this procedure is to make sure that proceeding with resuming of full functionality of your account is mutually safe and trusted. It’s necessary to confirm that:

1. The following transactions:

<fork 1 txid>

<fork 1 txid>

<fork 2 txid>

<fork 3 txid>

<fork 1 txid> were initiated by you and sent from your own wallet or trading account. Please provide us with the screenshots of your wallet or trading account withdrawal history, which will confirm that. 2. The funds, used to initiate these transactions, were received from cryptocurrency institution, being transferred to you. Please provide us with your wallet or trading account deposit history, which will confirm that. Please note:

— If you have transferred the mentioned funds between wallets or accounts before sending them to HitBTC, please provide us with the history of these movements.

— Don’t forget to provide us with the copied&pasted transaction hashes, which will be mentioned on any step of your report. Thank you for your patience. We believe it’s important to remember that our measures and policies are developed in order for us to stay trusted, safe and reliable institution and to protect our traders from illegitimate activities. Regards,

HitBTC Team

At approximately 5pm UTC, the individual replied:

Hello <HitBTC support person’s first name>, I am having difficulty interpreting this request and I require some clarification. First, You appear to be stating incorrectly. These funds were not transferred to me from a cryptocurrency institution, but credited to me at the fork point/creation of these cryptocurrencies. Please clarify the information that is necessary to proceed. Reviewing the verifiable and previously-cited facts of the transactions in question: 1) <txid> Is a <fork 1> transaction. The source input was created before the <fork 1 fork date> fork which created the coins <address’s source input creation date> 2) <txid> Is a <fork 1> transaction. The source input was created before the <fork 1 fork date> which created the coins <address’s source input creation date> 3) <txid> Is a <fork 2> transaction. The source input was created before the <fork 2 fork date> fork which created the coins <address’s source input creation date> 4) <txid> Is a <fork 3> transaction. The source input was created by result of the creation of the <fork 3> project on <fork 3 start date> (<credited airdrop input date>). The source input that qualified for the <fork 3> airdrop was the same as the previous <fork 2> transaction above and the <fork 1> transaction below and was created on <address’s source input creation date> 5) <txid> Is a <fork 1> transaction. The source input was created before the <fork 1 fork date> fork which created the coins <address’s source input creation date> *** All coins deposited on HitBTC were not purchased or transferred but rather created in my posession. The quantity of value which has triggered HitBTC’s KYC/AML policy is accounted for by the appreciated value of these assets from zero prior to existing. Please clarify which further information you require on the source of these coins in order to proceed. Second, The funds were not moved with wallet software, but rather by a script published at https://github.com/ymgve/bitcoin_fork_claimer which does not keep logs of sent transactions. Also, due to the high-security nature of private keys holding significant value, it is generally advisable to use tools such as Linux live-boot DVDs to specifically eliminate the possiblitiy of keeping records of the boot session and/or actions involving cold storage private keys. For example the TAILS (The Amnesiac Incognito Live System, tails.boum.org) Linux distribution has the Electrum wallet installed by default which is incapable of keeping logs due to this security practice. Please clarify what information is necessary for proceeding. Regards, <individual’s real name>

Day 20

At approximately 10:30 am UTC the HitBTC support person replied:

Dear trader, Thank you for your response. Getting back to our conversation about the <fork 1> origin. As you have got them by a script published at GitHub, we need some proof of that.

We do not require any private information, just a confirmation that you were holding the appropriate amount of BTC to get <fork 1> during the fork split. Looking forward to your response.

At approximately 5pm UTC The individual replied:

Good day <HitBTC support person’s first name>, To be clear, I did not ‘get’ the coins by using the cited tool (https://github.com/ymgve/bitcoin_fork_claimer), but rather I used the tool to create the network transaction which move the coins I own into HitBTC. I gained possession of the deposited coins at the the creation of the associated forked projects and chains as previously discussed and cited. Below signed messages that prove that I am in possession of the BTC keys that signed for the transactions, which constitutes proof that I held the BTC on the addresses which was 1) the origin of the forked coins through holding BTC on the address and 2) were the source of the discussed deposit transactions into HitBTC on the <fork 1>, <fork 2> and <fork 3> networks. The tool https://github.com/ymgve/bitcoin_fork_claimer takes the WIF private key string as an input parameter. This private key is also necessary for creating the signed messages below that can be validated from the public bitcoin address. These signatures can be checked via many tools including Electrum and the Bitcoin Core node software. Address: <address 1> Message string (inside quotes): “HitBTC ticket <ticket no> <HitBTC support person’s name> <date of Day 20>” Signature: <valid signature for message> Address: <address 2> Message string (inside quotes): “HitBTC ticket <ticket no> <HitBTC support person’s name> <date of Day 20>” Signature: <valid signature for message> Regards, <individual’s real name>

Day 26

At approximately 3pm UTC the HitBTC support person replied:

Dear <individual’s first name>, Finally, could you please provide us with your international ID? Looking for your response.

At approximately 6pm UTC, the individual replied with the attachment of two photos. The first being a photo of their passport, opened to the photo page held in their hand. The second being a photo of them holding the passport open to the page next to their face. The body read:

Good day <HitBTC support person’s first name>, Attached are two photographs, one of my <nationality> passport open to the photo page with the identifying numbers. The second is a selfie of me holding the passport. Note that I previously submitted identification photos including my drivers license photo ID which can also be compared in context. Please let me know if there is anything further you require. Regards, <individual’s real name>

Day 27

At approximately 3:30 pm UTC the HitBTC support person replied:

Dear trader, Thank you for your response. Getting back to our conversation about the <fork 1> origin. As you have got them by a script published at GitHub, we need some proof of that.

We do not require any private information, just a confirmation that you were holding the appropriate amount of BTC to get <fork 1> during the fork split. Looking forward to your response.

At approximately 8pm UTC, the individual replied with an attached screenshot of electrum validating signatures:

Good day <HitBTC support person’s first name>, On <Day 20>, I provided signed messages from addresses which were previously cited in screenshot to have held BTC during the <fork 1> fork on <fork 1 fork date>. This BTC was also the genesis of the coins deposited on HitBTC as was previously cited with screenshots. Those addresses, messages and signatures are: address: <address 1>

message: “HitBTC ticket <ticket no> <HitBTC support person’s name> <date of Day 20>”

signature: <valid signature for message> address: <address 2>

message: “HitBTC ticket <ticket no> <HitBTC support person’s name> <date of Day 20>” signature: <valid signature for message> I have attached a screenshot of Electrum validating these signatures, which you can cryptographically verify independently. This is proof that I hold the keys which held the BTC at the fork point and thusly the <fork 1> was credited to me through the forking process. Again it is worth clarifying, that I did not ‘get’ the coins from the script at https://github.com/ymgve/bitcoin_fork_claimer. The script was used to create the spend transactions to move the coins onto HitBTC. The coins came into my possession at their creation. Regards, <individual’s real name>

One hour after the individual sent the last reply the HitBTC support person replied: