A victim of a roughly $250,000 crypto theft received a legal-threat email from KuCoin instead of assistance recovering the money, on-chain investigator ZachXBT alleged on Tuesday — a response he framed as the exchange protecting itself rather than the user whose stolen funds it allegedly helped move.
A legal letter, not a lifeline
ZachXBT said KuCoin had sent a formal legal warning to a victim whose stolen assets were laundered through accounts on the exchange. The screenshot of the email, shared publicly by its recipient, comes from the “KuCoin Customer Care and Support Team” and is, on its face, a rights-reservation notice: it acknowledges the recipient’s right to raise concerns through proper legal and regulatory channels, then warns that any “false, misleading, defamatory, harassing, threatening or otherwise unlawful statements” about the company “may give rise to legal claims,” before closing that “all rights are expressly reserved.”
The recipient, posting under the handle dnbwizard, read it as something blunter, calling the message “Hilarious” and saying KuCoin was “threatening to sue me.” Whether the letter is best described as a routine defamation warning or an attempt to intimidate a complainant is the crux of the dispute—and it is the optics that have driven the reaction.
To ZachXBT and much of the audience that amplified his post, sending any version of a cease-and-desist to a person who has just lost $250,000, rather than moving to trace or freeze the funds, is the wrong instinct from an exchange that sits in the path of the stolen money.
It is worth stating plainly what is and isn’t being alleged. The claim is not that KuCoin stole the funds or knowingly laundered them. The open questions are narrower and more uncomfortable: whether stolen assets reached KuCoin-controlled deposit accounts, whether those accounts were opened with fraudulent identity documents, and whether the exchange’s response to both the victim and law enforcement was adequate. None of it has been tested in court, and KuCoin has not issued a detailed public rebuttal specific to this case.
How $250,000 reached KuCoin, and what “mule KYC” means
The theft itself dates to August 18, 2025, when the victim lost about $250,000 to Atomic Stealer, a strain of malware that targets crypto users by lifting seed phrases and private keys from infected devices. From there, according to ZachXBT, the funds moved into multiple KuCoin deposit addresses; he published one theft address and five KuCoin deposit addresses that he says received the proceeds.
The detail that elevates the case is how those receiving accounts were allegedly opened: with “purchased mule KYC.” Mule KYC is a persistent weak point in crypto laundering, and understanding it explains why these cases so often end badly for victims. Fraud operators buy or rent exchange accounts that have already passed identity verification using a real third party’s documents, then route stolen funds through them—converting, splitting, or withdrawing the assets before an exchange’s compliance systems flag the activity.
The blockchain trail is visible almost immediately, but recovery hinges on something the victim cannot control: whether the exchange freezes the receiving account before the money is swapped, bridged, or cashed out. Every hour of delay widens the gap. When an exchange instead responds to the person raising the alarm with a legal letter, ZachXBT’s argument runs, that window closes for good.
A pattern ZachXBT has flagged for months
This is not the first time the investigator has put KuCoin’s compliance under a spotlight, and the context is what gives the latest alert its weight. In April, ZachXBT tied more than $13 million in stolen funds to KuCoin deposit addresses, including over $9.5 million drained from victims of a counterfeit Ledger Live app on Apple’s Mac App Store, routed through more than 150 KuCoin addresses linked to a centralized mixing service called AudiA6, plus roughly $3.5 million from the Bitcoin Depot incident moved through 25 more.
He has accused the exchange of enabling instant swaps that sidestep due diligence, of responding slowly to law enforcement, and — in his sharpest framing — of being “complicit” by allowing illicit activity to flow “as long as it generates fees,” a characterization KuCoin rejects. The accusations sit alongside his broader campaign pressing centralized exchanges on accountability, from his labeling of Bitget as part of a “Chinese CEX cartel” to recent alerts on other platforms.
A $297 million guilty plea, and KuCoin’s defense
The history that makes the current allegation resonate is regulatory. In January 2025, KuCoin pleaded guilty in the United States to operating an unlicensed money-transmitting business and agreed to pay more than $297 million in penalties, resolving charges the Department of Justice first filed in March 2024. Prosecutors alleged the exchange had failed to maintain effective anti-money-laundering and know-your-customer programs and had moved billions of dollars in suspicious and criminal funds through its platform over several years.
The scrutiny has continued since: Austria’s financial regulator authorized KuCoin’s European entity under the EU’s MiCA regime, then barred it from taking on new business until it filled key AML and sanctions-compliance roles, an order KuCoin is appealing. Against that backdrop, ZachXBT’s recurring claim — that stolen funds keep flowing through KuCoin and that victims struggle to get help — reads less like an isolated complaint than a continuation of the exact failures the company already paid to settle.
KuCoin’s position, conveyed through its moderator accounts in replies to related posts, is that it takes security, user protection, and compliance seriously. The exchange says it reviews reports through internal procedures, encourages victims to work with law enforcement as the parties best positioned to investigate, will cooperate with authorities where appropriate, and has communicated with the relevant user through proper channels. It has not, as of publication, addressed the specific laundering trail or the legal letter in a detailed public statement.
The bigger question
Stripped to its essentials, the dispute is about what an exchange owes the victim of a crime that runs through its books. KuCoin’s defenders can fairly note that platforms face genuine legal exposure, cannot freeze accounts on the basis of unverified social-media claims, and are right to direct victims toward law enforcement and to guard against defamation. Its critics counter that an exchange penalized nearly $300 million for AML failures and repeatedly shown stolen funds moving through its accounts invites exactly this scrutiny—and that answering a victim with a lawyer’s letter is the clearest possible signal of where its priorities lie.
Several questions remain unresolved: whether the five deposit accounts were in fact opened with mule KYC, whether KuCoin froze any of the funds, what it told law enforcement and when, and whether the legal letter was a standard template or a targeted response. Until KuCoin answers them, the episode stands as another data point in a debate the industry has not settled—whether centralized exchanges, the chokepoints through which most stolen crypto must eventually pass, are doing enough to help the people on the losing end of it or merely enough to protect themselves.
