Bybit is the world’s second-largest cryptocurrency exchange by trading volume, serving a global community of over 60 million users. Founded in 2018, Bybit is redefining openness in the decentralized world by creating a simpler, open and equal ecosystem for everyone
Q: Given your legal experience of financial crime, having served as a barrister, what trends have you observed in terms of crypto assets being used to facilitate financial fraud and in the techniques employed by criminals utilizing blockchain?
A: I’ve worked in anti-financial crime for many years, covering TradFi, FinTech and Payments, and more recently crypto. One constant I’ve observed is that the most damaging exploits are often relatively low-tech, relying heavily on social engineering tactics and hacking rather than sophisticated technical tools. As with many emerging technologies, it’s typically the people behind the exploits who pose the most risk, not the technology itself.
Given the advancements in KYC and AML procedures and technology, the most common fraudulent attempts often involve identity theft or credential theft. As crypto’s user base grows, more retail investors become potential targets. Criminals frequently use phishing, impersonation, and similar schemes to trick users into divulging verification codes and even passwords – which is true of both crypto and online banking. At Bybit, besides continuously enhancing our enterprise security to guard against these threats, we emphasize user education and internal training to keep pace with emerging attack vectors.
On a related note, a recent Chainalysis report highlighted that in 2023 the industry saw a drop in illicit activities of over $15 billion. Much of this progress can be credited to the transparent nature of blockchain technology and to conscious efforts by industry players and regulators to improve security measures. We’re on the right track, and the onus is on all participants to double down on these efforts to keep driving the industry towards a point where it is no longer synonymous with illicit activity.
Q: How do you believe the level of financial crime within the crypto industry compares to that of traditional finance, and do you believe that enhanced compliance and reporting in recent years has succeeded in mitigating this?
A: It’s a tricky comparison because traditional finance dwarfs crypto in terms of overall scale, making direct parallels anything but straightforward. By sheer numbers, TradFi fraud and scams are much larger simply because that ecosystem is far bigger. However, in an emerging industry like crypto, you’re more likely to see a higher percentage of opportunists or rogue actors trying their luck. That said, the view that crypto is the “wild west” is increasingly outdated, at least when it comes to reputable exchanges which now account for the bulk of all centralized trading activity. All major exchanges now require rigorous checks and identification procedures that are akin to those of virtual banks.
There are also encouraging signs that tackling fraud in crypto is getting more effective. Blockchain’s innate transparency makes it easier to trace and investigate suspicious activity. Law enforcement agencies, specialized financial intelligence solution providers, and exchange operators are all becoming more adept at using blockchain’s inherent strengths to prevent crime.
In my experience, there’s also growing convergence of best practices and information sharing between the crypto industry and traditional financial service providers. We’re seeing more partnerships between these sectors, as well as traditional players incorporating blockchain or crypto solutions to meet client demands, particularly for institutional users. Meanwhile, digital assets are expanding into traditional capital markets through BTC and ETH ETFs, indicating a broadening alignment between the worlds of TradFi and crypto.
Q: How has the emergence of AI made KYC/AML harder, and in what ways does the technology also provide defensive capabilities e.g. better facial recognition?
A: Before we get into the defensive side, here are some of the emerging threats changing the security landscape:
Automation of Fraudulent Activities:
a. Sophisticated Fraud Techniques: Criminal enterprises leverage AI algorithms to create more sophisticated scams, allusions to legitimate operations, and fake identities that could bypass traditional KYC checks.
b. Deepfakes: The rise of deepfake technology allows fraudsters to create convincing synthetic identities or present false documentation, making it harder for institutions to verify identities.
Data Overload:
c. Increased Volume of Data: AI generates and analyzes vast amounts of data. This abundance can overwhelm KYC/AML processes, where identifying red flags becomes more challenging due to the sheer volume of transactions and customer profiles.
d. Complexity of Patterns: The complexity of AI-generated behavioral patterns in transaction monitoring can make it harder to distinguish between legitimate and suspicious activities.
Adversarial AI:
e. Countermeasures Against Detection: Criminal organizations can use adversarial machine learning to train models that anticipate and evade KYC/AML detection systems, making it more difficult for financial institutions to keep pace.
Anonymizing Technologies:
f. Use of Anonymity in Transactions: The integration of AI in privacy technologies (e.g., mixing services and privacy-focused cryptocurrencies) allows users to obfuscate their identities and transactions, complicating the traceability efforts required for effective KYC/AML compliance.
AI-Driven Defensive Capabilities in KYC/AML
AI has introduced both new challenges and new defenses in KYC/AML. On the challenge side, criminals are using AI to automate fraudulent activities, creating more sophisticated scams, faking legitimate operations, and producing fabricated identities capable of bypassing traditional KYC checks. Deepfake technology can also be leveraged to craft highly convincing fake documents or synthetic identities, further complicating the verification process.
Compounding these issues is the sheer data volume that AI can generate and analyze. The massive influx of information makes it more difficult for institutions to detect red flags, while adversarial AI techniques enable criminal organizations to train their systems to evade established KYC/AML detection methods. Additionally, anonymizing technologies such as mixing services or privacy-focused cryptocurrencies powered by AI create further obstacles for tracking and identifying illicit transactions.
On the defensive side, AI also offers valuable tools to strengthen KYC/AML. Advanced identity verification methods, including AI-driven facial recognition and the analysis of biometric data, have made onboarding processes faster and more secure. Pattern recognition and anomaly detection algorithms can efficiently comb through transaction histories and user behavior to spot irregularities, while continuous learning systems adapt over time to anticipate evolving criminal methods.
AI-powered natural language processing (NLP) helps compile and analyze information from diverse sources such as emails or social media to create more accurate customer risk profiles. Real-time monitoring systems draw on both historical and live transaction data, providing immediate alerts on suspicious activities and enabling proactive intervention. Furthermore, AI can streamline regulatory compliance through enhanced reporting and facilitate collaboration and information sharing among financial institutions to build a collective defense against emerging threats.
Q: Do you believe that crypto users should have the right to self-custody their assets and to maintain self-hosted wallets without the need to verify their identity?
A: We must acknowledge that at its heart, blockchain technology – and by extension, cryptocurrencies – revolves around principles like decentralization, transparency, and individual sovereignty. Self-custody is closely tied to these values. Service providers as custodians don’t take away the right to self-custody; rather, they give users an alternative. Meanwhile, more user-friendly self-custody solutions are constantly being developed, just as exchanges are growing more sophisticated. This healthy competition enriches the ecosystem, ensuring users have multiple options.
However, when self-custody intersects with active trading and other forms of participation in the wider marketplace, it inevitably bumps into compliance requirements. At some point, most users find themselves needing to verify their identity if they want to move beyond just holding assets in a private wallet. That’s the balancing act: freedom versus compliance.
Exchanges such as Bybit have a responsibility to safeguard users and the broader community against criminal activities. KYC is one of the tools we rely on to achieve that goal. An imperfect analogy might be the choice between holding physical gold bars in a private vault or keeping cash at a bank: self-custody remains an option, while exchanges offer a more liquid and practical alternative.
Q: What role do exchanges such as Bybit play in mitigating the effects of hacks that occur onchain e.g. freezing suspicious assets, reporting fraudulent behavior, and do you believe centralized exchanges should proactively support such efforts where possible, as opposed to focusing on the activities of their own users?
A: Bybit is regulated in multiple jurisdictions, and we’re obligated to comply with valid requests from local authorities. We view the battle against cybercrime and financial crime as part of our core promise to protect customer assets. We proactively screen transactions for suspicious activity and employ AI tools and specialized teams to thwart hacking attempts. In the first half of 2024, for example, Bybit prevented the unauthorized withdrawal of over $79 million worth of digital assets. Our main focus is to safeguard customer funds, and in rare cases that may involve freezing accounts and launching internal investigations.
We also maintain a dedicated team to handle around 1,000 requests per month from law enforcement agencies worldwide. This level of effort reflects our commitment to protecting users and supporting broader security initiatives across the industry.
Q: There are a lot of conflicting crypto regulations due to the lack of a unified regulatory framework governing all internet users. How does this make your job harder, and what are the biggest improvements you would like to see to streamline industry regulation?
A: The global patchwork of regulatory regimes for cryptocurrencies creates uncertainty for businesses and investors alike. Different agencies focus on different risks – some prioritize money laundering, others consumer protection, and still others taxation – making it challenging to build cohesive solutions. From a compliance perspective, this diversity forces us to look at the underlying concerns regulators want to address and figure out comprehensive ways of meeting those concerns.
At Bybit, we believe compliance should mean more than just ticking boxes; it should be about genuinely engaging with and mitigating the risks regulators have identified. We’ve experienced rapid user growth, adding 10 million users in a single month in one of our strongest quarters, so we understand we have a responsibility to help our customers navigate the changing regulatory environment.
I’d like to see major jurisdictions lead the way in developing thoughtful, pragmatic models that promote sustainable growth. Bybit’s global footprint means we can serve as a role model, and through ongoing legal debates and deliberations, I’m optimistic we’ll see more clarity emerge in the near future.
Q: Do you believe that more stringent compliance will incentivize more institutions to enter the industry, and what are the main things that need to be done to accelerate TradFi adoption from a regulatory perspective?
A: Institutional participation in digital assets is already substantial. The intersection of TradFi and the crypto sector’s institutional solutions has expanded rapidly over the past few years. From a B2B standpoint, the nature and depth of compliance differ from B2C, and institutions are generally well-equipped to gauge the compliance standards of their counterparties. What often attracts these larger players is the tech stack, liquidity, and crypto-native capabilities of providers like Bybit. Rather than strict rules alone, regulatory clarity and approvals for crypto-related financial products tend to be the main drivers for institutional adoption.
Better classification of crypto assets would be a major boost. Right now, different tokens can fall under different regulations, forcing investors to manage a complicated set of rules post-launch. When you consider how specialized legal and compliance teams in TradFi are, this complexity can be a significant barrier to entry. We have seen the benefits of a sensible approach to regulating stablecoins in the European Economic Area, which has boosted confidence, improved market stability, and increased investor protection. These benefits could be replicated across other types of cryptocurrencies, providing greater clarity and more uniform standards.
