Binance is the world’s largest crypto exchange by volume and assets, processing $9.5 trillion worth of trades in 2021 alone. But it’s not supposed to be allowed to operate in China, which banned cryptocurrency trading in 2021.

Binance founder Changpeng “CZ” Zhao has touted the exchange’s know-your-customer systems, known as KYC, as a billion-dollar effort. Among other functions, they are supposed to stop customers that aren’t supposed to be on the platform, including residents of China.

But customers in China and around the world regularly subvert Binance’s controls to hide their country of residence or origin, messages in Binance’s official Chinese-language chatrooms show.

CNBC obtained, translated and reviewed hundreds of messages from a Discord server and Telegram group which are controlled and operated by Binance. More than 220,000 users were registered across both groups, which were freely accessible to anyone who registered and joined. Until late March, there were no controls on access, which is how CNBC was able to review messages from 2021 to 2023.

The messages CNBC reviewed come from accounts identified as Binance employees or Binance-trained volunteers known as “Angels.” In these messages, they shared techniques that can be used to evade Binance’s KYC, residency, and verification systems.

Some of the techniques that employees and volunteers have shared involve forging bank documents or offering false addresses. Others involve simple manipulation of Binance’s systems.

Employees, volunteers, and customers also shared video guides and documents that showed mainland residents how to falsify their country of residence in order to obtain Binance’s debit card, which would effectively turn their Binance crypto into a conventional checking account.

Whatever the method, Binance’s Chinese users take on a significant risk: In China, crypto exchanges have been outlawed since 2017, while crypto itself was outlawed in 2021. Many of the products that Chinese residents seek access to are also illegal under Chinese law.

The techniques shared with and among customers also call into question the effectiveness of Binance’s anti-money laundering efforts. For international businesses like Binance, KYC and anti-money laundering efforts are critical in ensuring customers aren’t engaged in illegal activity, like terrorism or fraud.

Experts in financial regulation shared concern that Binance’s KYC and AML efforts can be so easily thwarted.

“If I had a eight out of 10 concern about Binance from a regulatory perspective and from a national security perspective, this takes it to a 10 out of 10,” Duke University professor and former FDIC chief innovation officer Sultan Meghji told CNBC.

Meghji’s concerns about the laxity of Binance’s enforcement of KYC guidelines extend beyond China. “I think explicitly about the national security implications of how terrorists, criminals, money launderers, cyber people in North Korea, Russian oligarchs, et cetera, could use this to get access to this infrastructure,” he said, referring to some of the techniques described.

Wells Fargo anti-money laundering executive Jim Richards agreed that the techniques for bypassing Binance’s KYC controls could have implications beyond China. “What about North Korean customers, or Russian customers, or Iranian customers?” Richards asked.

When reached for comment on the findings in this article, a Binance spokesperson told CNBC, “We have taken action against employees who may have violated our internal policies including wrongly soliciting or making recommendations that are not allowed or in line with our standards. We have strict policies requiring all users to pass KYC by providing us with their country of residence and other personal identification information.”

The spokesperson added, “Binance employees are explicitly forbidden from suggesting or supporting users in circumventing their local laws and regulatory policies, and would be immediately dismissed or audited if found to have violated those policies.”

CNBC also reached out to the Binance employees and Angels named in this article. One told CNBC to contact Binance’s PR team. The rest did not reply.

In 2021, after China banned cryptocurrency, Bloomberg reported that Binance had stopped letting Chinese mobile phone numbers register. The company told Bloomberg that it had blocked Chinese IP addresses as well. 

But Chinese customers have continued to seek ways to trade on Binance, which include using instructions provided by employees and volunteers. In some cases, these instructions rely on virtual private networks, or VPNs, software that can disguise the user’s location and send messages through the Chinese Internet firewall.

In May 2022, in a support channel on Binance’s Discord server, a user asked “How can mainland users register now?”

A person using the handle Yaya and identifying as a Binance employee told them to activate their VPN and register as a Taiwanese resident, then switch their nationality back to China. The employee also suggested avoiding using VPN nodes in the “United States, Singapore, and Hong Kong.” Binance officially restricts access to certain products in those countries.

There are steps that exchanges can and should take to prevent VPN use, said Neel Maitra, a partner at law firm Wilson Sonsini and a former SEC senior special counsel for cryptocurrency issues.

“Most best practices by exchanges also account for common evasive behaviors,” Maitra told CNBC. “While it is true an exchange cannot necessarily prevent or effectively police all possible forms of evasion, I think most regulators would require that they police against the most common evasive forms.”

Binance told CNBC it had implemented “advanced detection tools” to root out users in “restricted and sanctioned regions that had access to sophisticated masking tools including VPNs.”

In other cases, the advice does not rely on a VPN.

In Dec. 2022, a person with the handle Stella, who was identified as a Binance community manager in the company’s online marketing materials, posted messages in a server-wide announcement channel, explaining how people could use a specialized “VPN-free” domain name and download an app which appears to be specifically tailored for customers in mainland China to use Binance services.

CNBC was provided the link to this app from an email address with a binance.com domain. A reporter was able to download the app from a location within China without a VPN, and register using a Chinese phone number. The app is hosted on Tencent, which offers a cloud computing service popular within China, and offers the ability to purchase crypto from other Binance customers in prices denominated in Chinese yuan, using the popular Chinese apps WeChat or Alipay. It also has options to submit Chinese identity documents for KYC verification.

Binance told CNBC it does not offer a specialized version of its app for Chinese customers. “‘Binance does not offer a ‘Binance Chinese Android app,” a spokesperson said. “There is only one official Binance app.”

More often, employees appear to refer questions about KYC to Binance Angels, creating a gap between the company and potential regulatory violations, messages reviewed by CNBC show. Binance has emphasized that Angels “are not representatives of Binance.”

“Our role is limited, and we do not speak on Binance’s behalf,” an Angel said in a Binance blog post.

But Binance’s Chinese-language Angels go through a separate training process that takes up to a year, according to a Binance hiring page. They’re vetted, trained, and deployed across Binance’s Telegram and Discord groups, operating under the supervision of Binance employees.

Reuters has previously reported on how Binance offers their Angels crypto discounts for their work.

In one Oct. 2022 exchange reviewed by CNBC, an Angel advised a user who was having trouble accessing the specialized Binance websites that were supposed to work within mainland China.

That Angel told the user to switch their VPN to a different region and try again.

“How do users in mainland China register their accounts?” another user asked in a Mar. 2022 message.

“Register with an overseas email address,” the same Angel responded, before telling the user to pick Taiwan as their residence.

That volunteer offered similar guidance to other customers. In Apr. 2022, another purported mainland China resident asked “What could I do if proof of residence is required? Can I change my place of residence?”

“Proof of registered residence is not required,” this Angel responded.

In another case, a purported mainland resident worried about uploading their Chinese identity documents, messages from March 2022 show. The same Angel reassured the user they could claim to be in Taiwan but still submit a Chinese identity card, and Binance wouldn’t stop them.

“[Binance] doesn’t do business on the mainland, but it can’t stop mainland users from bypassing the great firewall to play,” the Angel assured the user.

Angels also teach users about the exchange’s offerings, best practices, and the blockchain.

In one question-and-answer lesson from Apr. 2022, two Binance Angels showed Chinese users how they could participate in Launchpad, Binance’s IPO-like product for new crypto tokens.

Chinese residents are prohibited from participating in initial exchange offerings under Chinese laws, including a specific ban on initial coin offerings.

“How do mainland users participate in Launchpad?” the Angel leading the session asked, rhetorically.

Several users said it was impossible.

But other participants in the Q&A, including a different Angel, said registering a foreign company or with foreign KYC would let mainland users sidestep Binance’s controls.

“Congratulations to this top student,” the session-leading Angel responded to the user who answered “overseas company” the fastest.

In comment to CNBC about the findings in this article, Binance reiterated that the Angels are not employees.

“Binance Angel Program is a community ambassador program, no different than the community ambassadors that operate on other platforms like Wikipedia and Reddit. Binance Angels are not given access to Binance equipment or Binance internal systems, nor do they have the authority to speak for Binance. Binance Angels are forbidden from sharing recommendations that are against our company policies or the law and would be immediately removed from the Binance Angel Program if they were found doing so.”

Palau launched its digital residency program in 2022 in an effort to modernize physical identity cards, rolling out an NFT-linked identity card that’s available for a few hundred U.S. dollars annually.

In a 2022 visit to the archipelago, Zhao called it a “very innovative” effort.

But Palau’s program also lets users around the world access Binance using their Palau “residency” to hide their country of citizenship and residency.

Customers openly referred to Palau’s program as a way to sidestep Binance’s country-specific controls, according to Telegram and Discord messages CNBC reviewed.

When users asked how to access products and currencies otherwise unavailable to Chinese residents, Angels guided them to an Oct. 2022 tweet from a handle that belongs to a Binance client relationship manager, according to a Binance customer who worked with them. That tweet, which has since been deleted, linked to a third-party Mandarin YouTube guide on using the Palau residency to pass Binance’s European Union KYC controls, even if the user lived outside the EU.

“Passing” allowed users to apply for Binance’s restricted Visa debit card, which lets them turn their crypto into fiat currency for use anywhere. (Visa declined to provide comment for this story.)

Specifically, the third-party video walks users through how to register with Palau, purchase the Palau ID, and upload the ID to Binance’s exchange. It then shows a user how to create a placeholder mail-forwarding Austrian address. Then, it offers an apparently genuine bank statement from the video creator’s German bank account, and explains how to modify the bank statement to include the Austrian address. Forging the bank statement takes nothing more than a PDF editor, according to the video’s creator.

In Nov. 2022, one user who said they were in mainland China inquired about the Binance Card, messages from the Discord server show. An Angel directed them to the video, and suggested it would help them get it.

In comment to CNBC, Binance says it did not have any part in creating the video guide. “That video is not a Binance-owned piece of content, nor is the content creator a Binance employee or even a Binance Angel.”

The technique of using fake Austrian credentials was well-known enough to be discussed in other chats in Nov. and Dec. 2022, although some of these chats did not make specific reference to this video.

One Binance employee warned an applicant not to apply for the Binance debit card “casually,” noting, “Some users said their accounts were banned after attempts to change their addresses to unauthorized countries.”

The customer reassured the Binance employee that they had used Austrian bank statements.

Similarly, in Dec. 2022 messages on Binance’s Chinese-language Telegram group, users complained that they couldn’t get a Binance debit card.

“If you are Chinese, you can’t,” one user said.

Another user guided them to a different video that used the same false proof-of-address and took advantage of an account from the same German bank.

“What if you can’t produce the relevant documents?” the creator of this second video asked rhetorically. “You can join my Telegram group. Someone in my group provides this service which can help you customize this address certificate.”

Or, the creator continued, mainland users could obtain “proof of address” or “overseas professional customization” on Taobao, a Chinese marketplace.

Regulatory and compliance experts told CNBC they were alarmed by how easily Binance users were able to fake KYC credentials.

“I’m sitting at main Justice, or the National Security Council, I get very concerned hearing this. If I’m sitting at the IRS, I get very concerned about this,” Meghji told CNBC.

Richards told CNBC that any unauthorized access to Binance would concern the exchange’s traditional financial partners, from Visa to a customer’s bank. If a user tried to withdraw funds from Binance into a JP Morgan Chase checking account, for example, it might cause some concern.

“Chase would look at the source of funds and see that they’re coming from Binance,” Richards said. “And if they know that Binance is suspect, then the source of funds could be seen as suspect.”

CNBC asked Binance for comment on the substance of all the reporting in this article, and shared several specific posts and messages in the process. All of those messages and posts, including the Binance employee’s Tweet sharing the how-to video, were deleted after CNBC provided them to Binance.

In addition, hours after Binance responded to CNBC, messages apeared on Twitter suggesting that some customers’ Binance debit cards had been frozen.

“Why is my Binance card frozen?” the customer asked in Chinese.

The employee told the customer to take their concerns to Binance’s banking partner.

“How do Binance applicants know which bank is issuing the card?” the user retorted.

— CNBC’s Hakyung Kim contributed to this report.