What went wrong
Cubits was an online cryptocurrency trading/exchange platform which provided B2B and B2C services to buy, sell and accept cryptocurrency (predominantly Bitcoin (BTC)). Although the main business traded through Dooga Ltd, a company incorporated in the UK, its operations were based in Germany and Malta.
To extend its services to its growing customer base in China, Cubits used an intermediary payment service provider Pay Secure Online (PaySec) to overcome the restrictions in place in that region at the time. PaySec was responsible for the cash settlement of BTC purchased by Cubits’ Chinese customers. On or around 5 February 2018 the accounts of three Chinese customers were allegedly hacked, resulting in the loss of BTC with a cash value of circa €29 million (February Fraud). Cubits had not received the funds owed to it for the BTC purchased by the three Chinese customers, nor could they recover the BTC purchased by these customers.
In total, PaySec owed Cubits circa €35 million, which includes circa €6.9 million relating to transactions pre-dating the February Fraud. The exchange was insolvent.
What they should have done
The investigations conducted on this case have highlighted areas which, if in place at the time, may have prevented the February Fraud:
1. Due diligence
If this had been completed on PaySec and its company officers, the connection to well-known UK criminals and organised crime would have been immediately clear, and Cubits could have avoided any interaction with the company.
2. Security policy/procedures
There were no known security measures or procedures in place prior to the February Fraud. No fail safes to raise the alarm if trading activity was unusual, no human monitoring of the system, no step by step policy to follow when restrictions were met.
3. Cold wallet
Cubits advertised itself as a platform which held customer funds in cold storage, however this was not the practice. If customers’ crypto had been held in a cold wallet Cubits would not have been able to transfer €29m BTC to the Chinese customers.
New regulations
Under The Money Laundering and Terrorist Financing (Amendment) Regulations 2019, from 10 January 2020, any company providing cryptocurrency services in the UK is considered to be a regulated entity and is subject to AML rules and legislation. In practice this means they must register with the FCA and conduct due diligence: risk assessments, appoint a MLRO, devise internal compliance documentation including AML policies and procedures and provide their staff with AML training.
Limitations
The new regulations will make it harder for criminals to launder money through cryptocurrency exchanges and will make exchanges responsible for preventing the flow of illegal monies through their platforms. In relation to Cubits however, the new regulations do little to assist supplier relationships and this remains a problem to be suitably addressed.