One attraction of Binance, as the company grew from its 2017 founding into the biggest cryptocurrency exchange in the world, was the firm’s freewheeling flouting of rules. As it amassed well over 100 million crypto-trading users globally, it openly told the United States government that, as an offshore operation, it didn’t have to comply with the country’s financial regulations and money-laundering laws.
Then, late last month, those years of brushing off US regulators caught up with the company in the form of one the most punitive money-laundering criminal settlements in the history of the US Justice Department. The crackdown doesn’t just mean a chastened Binance will have to change its practices going forward. It means that when the company is sentenced in a matter of months, it will be forced to open its past books to regulators, too. What was once a haven for anarchic crypto commerce is about to be transformed into the opposite: perhaps the most fed-friendly business in the cryptocurrency industry, retroactively offering more than a half-decade of users’ transaction records to US regulators and law enforcement.
When the Department of Justice announced on November 21 that Binance’s executives had agreed to plead guilty to criminal money-laundering charges, much of the attention on that settlement focused on founder Changpeng Zhao giving up his CEO role and on the company’s record-breaking $4.3 billion fine. But Binance’s settlement agreements with the DOJ and the US Treasury Department also stipulate a strict new regime of data-sharing with law enforcement and regulators. The company has agreed to comply with regulators’ “requests for information”—a term that carries none of the evidence or suspicion requirements necessary for obtaining a warrant or even a subpoena—to the point of producing any “information, testimony, document, record, or other tangible evidence.”
Binance has also agreed to scour all of its transactions from 2018 to 2022 and file suspicious activity reports (SARs) for anything it deems a potential violation of US law from that five-year period. That “SAR lookback” means the company will now be actively scrutinizing its customers in retrospect, not just passively assenting to regulators poring over its databases. Those SARs are collected by FinCEN, the Treasury Department’s financial crimes division, but then made available to law enforcement agencies from the FBI to IRS Criminal Investigations to local police. And all of this new scrutiny will be overseen by a “monitor” firm chosen by the US government but paid by Binance—an in-house watchdog assigned to make sure Binance is complying in good faith.
“I don’t think Binance’s customers have the slightest clue of the ramifications of this plea and consent decree. It’s unprecedented,” says John Reed Stark, who spent 20 years as an attorney at the US Securities and Exchange Commission (SEC), including as the founder of its Office of Internet Enforcement. “If they’re a drug dealer or a terrorist or a child pornography peddler, they’re going to get caught.” He describes Binance’s agreement as a “24/7, 365-days-a-year financial colonoscopy.”
One US prosecutor, who asked not to be named because they weren’t authorized to speak to media about the case, calls the degree of access to Binance’s records described in the agreement “kind of crazy,” and remains in disbelief at the idea of Binance abiding by the settlement. “I don’t know what kind of business would want to operate while allowing that much government oversight, especially one that’s deliberately stayed out of the US so that they’re not under our nose,” they say. “The other option must have been really bad.”
If Binance does comply, however, the prosecutor adds that “it would be a game changer in taking down transnational syndicates doing evil deeds worldwide and trying to shield those crimes by using cryptocurrency to move money.”
Binance’s chief compliance officer, Noah Perlman, tells WIRED that Binance has collected “know-your-customer” information on users and cooperated with US law enforcement on data requests for the past two years. He added that all reports to the monitor firm inside Binance would be “confidential”—as in, not shared publicly, only with the US government—and that it would continue to abide by data privacy laws in the jurisdictions where it operates.
But Perlman also says he’s “excited” for the new era the agreements represent for Binance. “I feel like this is a great opportunity for Binance to set the standard for what compliance in this industry should look like,” he says. “For the general community, removing concerns of illicit finance in crypto is one of the most important things we can do to drive mainstream adoption. Hopefully, the vast majority of users will feel that there’s assurance here, that the funds are safer than ever, and they have nothing to worry about as long as they’re not part of the very small, small group of users that use crypto for illicit purposes.”
While Binance’s new radical transparency may be welcomed by law enforcement and regulators, its users and advocates of financial privacy may not be so pleased. Human Rights Foundation chief strategy officer Alex Gladstein calls the settlement an “overreach” that he believes is part of a US regulatory effort to set a precedent for crypto as a whole. “They’re going to try to force people to use these regulated platforms where everything is monitorable,” Gladstein says. He adds that Binance is “an unsavory corporation, but still, it’s alarming what the US government is doing.”
Digital civil liberties nonprofit the Electronic Frontier Foundation, too, has historically called on cryptocurrency exchanges to stop giving up users’ transaction data to law enforcement and regulators without notifying those users. Now, the Binance settlement would create perhaps the most extreme case yet of that crypto exchange data-sharing, giving the US government wholesale access to the records of a crypto hub that at some points processed billions of transactions a day.
“EFF is increasingly worried about law enforcement turning to intermediaries such as cryptocurrency exchanges and hosted wallet providers to obtain sensitive user data,” the EFF’s cryptocurrency-focused attorney, Marta Belcher, wrote in a 2020 blog post. “The fact that the transactions are made through cryptocurrency rather than through traditional financial channels indicates that the transactions are more likely to be sensitive, and that the person making the transaction may be turning to cryptocurrency precisely because of the privacy protection it provides.” That argument may apply particularly to Binance, given its early reputation as an offshore exchange that didn’t bow to US government data demands.
In fact, some Binance users may not have considered the risk of their data becoming available to crypto investigators in the new settlement, in part because Binance has at some points collected far less data on its users than other exchanges. Part of Binance’s appeal to users has been that, for years, it asked only for a user’s email address to set up an account—one of its many now-admitted violations of US know-your-customer requirements that led to last month’s crackdown.
But US law enforcement has proven that even troves of exchange data that lack users’ names can nonetheless be highly revealing of their financial history—especially in combination with blockchain data and information from other exchanges that usually do comply with know-your-customer laws. In the case of the Welcome to Video child sexual abuse materials dark-web site in 2017, for instance, one alleged abuser was identified and arrested after his email address was tied to an account on the cryptocurrency exchange BTC-e, which authorities had seized months earlier.
In another case, BTC-e’s data allowed IRS criminal investigators to identify a hacker who had taken nearly 70,000 bitcoins from the Silk Road dark-web drug market—worth more than $3 billion today—and then track them down and seize the funds. Though BTC-e didn’t collect users’ names or other identifying details, its data still served as the missing link in both those cases—just as Binance’s no doubt will in many more investigations to come.
Assenting to have US regulators comb through its data, for a company that spent years resisting regulation, may be a severe culture shock, says Stark, the former SEC attorney. He says he won’t be surprised if the company ends up violating the terms of the agreement. “It’s like taking someone who’s been a drug addict for a decade and drug-testing them every day and thinking that they’re not going to try to sneak something in,” he says.
Ultimately, with enormous fines and criminal sentences hanging over the heads of its executives—and worse punishments if its settlement falls through—Binance may not have a choice about baring its soul to the US government. Neither, whether they know it or not, will its users.