Cryptocurrency exchanges Bybit, Bitget and OKX had nearly a million "monthly active users" in the U.S. in August, data from Sensor Tower shows.
That doesn't mean these MAUs were trading in violation of U.S. rules; they could've just been engaging in allowed behavior like checking crypto prices.
But with VPNs, it's possible for Americans to circumvent geoblocks, a costly lesson exchange giant Binance recently learned.
At many crypto exchanges around the world, U.S. residents are like visitors to an art museum. They can look, but they're not supposed to touch.
Apparently, a lot of Americans are at least looking. Are any of them touching?
Bybit, Bitget and OKX, three of the largest cryptocurrency exchanges, all prohibit traders from the U.S., where the companies are not licensed. Yet in August, the three exchanges combined had almost a million monthly active users (MAUs) in the U.S., according to research by Sensor Tower obtained by CoinDesk.
To be clear: "active" does not necessarily mean trading. If someone in the U.S. downloads the mobile app from Apple or Google and then does anything with it during a given month, they count as an MAU. Gawk at a price chart, as one might do on CoinDesk's price pages? That exchange would not be abetting rule-breaking behavior. It might be if the American trades, however.
Almost exactly a year ago, Binance, the world's top exchange, was forced to write a more than $4 billion check to the U.S. government to settle allegations that, in part, hinged on improperly allowing Americans to trade on its platform. Since then, the cryptocurrency industry has been on notice: Having customers in the United States can be a costly mistake.
Polymarket might be on a path to learning that, too, amid news that its CEO's home was raided last week — reportedly because people in the U.S., contrary to a 2022 deal with regulators, may have traded on the popular prediction market. (Though who knows if incoming President Donald Trump's Department of Justice will put its weight behind any investigation.)
Read more: Polymarket's Probe Highlights Challenges of Blocking U.S. Users (and Their VPNs)
Even though Bybit, Bitget and OKX warn website visitors with U.S. IP addresses that they are ineligible to trade, users can disguise their locations using virtual private networks, or VPNs. And even though all three exchanges erect another barrier to keep Americans out by requiring some level of customer identification, traders determined to get around such hurdles have been known to obtain fake, stolen or rented credentials.
Flashback to 2021: For $200, You Can Trade Crypto With a Fake ID
VPN and a fake ID
In jurisdictions with stringent cryptocurrency regulations, such as the United States, it is common for individuals to resort to VPNs to access offshore cryptocurrency exchanges, said Daniel Arroche, partner at French crypto law firm d&a partners.
“Although this practice often violates the terms of service of many platforms, it highlights the persistent demand for access to global markets despite regulatory hurdles,” Arroche said.
A spokesperson for Sensor Tower said it's impossible for his company to determine what exchange app users are doing.
“We can neither confirm nor deny if U.S. users are using VPNs to change their location to access trading,” the spokesperson said via email. (The research, which is paywalled, was shared with CoinDesk by a third party.)
A video shared with CoinDesk, whose creator requested it not be published with this story, shows how an American can easily circumvent Bybit’s geofencing.
The video shows a user first visiting whatismyip.com to display their U.S.-based IP address with the VPN disconnected. Next, they connect to a VPN and change their IP address to a country allowed by Bybit's terms of use. The user then opens the Bybit app, logs in and successfully completes know-your-customer checks using a non-U.S. ID belonging to someone else. After that, they add funds and trade crypto on the platform from the U.S. without any issues.
Americans can bypass geoblocking rules by purchasing someone else's know-your-customer (KYC) information for less than $50 worth of crypto. A series of screenshots shared with CoinDesk showed how a U.S. user provided their login credentials to someone they met on X (formerly Twitter). Shortly after, the U.S. user was verified and able to trade freely on the exchange using the identity of a Kenyan.
Read more: Crypto Airdrops Ban U.S. Users, but Americans Are Claiming Tokens Anyway
The crypto exchanges respond
Bybit, an exchange that has risen rapidly in the last year or so to become the second-largest behind Binance by some estimates, seems to host the largest contingent of MAUs in the U.S. — a jurisdiction the firm says is categorically excluded from its platform — with 451,800 such users in August, according to the Sensor Tower data.
The next largest in terms of numbers of U.S. MAUs was Bitget with 281,600, followed by OKX with 144,000, also recorded in August by Sensor Tower, a data provider cited on occasion by the likes of The Wall Street Journal, New York Times and Bloomberg.
A spokesperson for Bybit said the exchange has taken various measures, including KYC procedures and IP address bans, to ensure that its services and products are not available to people from restricted jurisdictions.
“Users who attempt to download the app or access the platform from restricted jurisdictions will not be able to complete the registration process unless the KYC documents they submitted have indicated otherwise. Additionally, Bybit has implemented IP restrictions to block access from those restricted jurisdictions,” the spokesperson said.
Bybit did not respond to follow-up questions about VPNs and rented IDs.
Bitget said it "adheres to global compliance standards by enforcing region-based restrictions including the prohibited access of citizens of the US and various countries" and that "anyone attempting to access the Bitget app from any U.S. IP address will receive notifications indicating that access is restricted."
As for the Sensor Tower data, Bitget said, “one possible explanation … is that users from other countries utilize methods such as VPNs to mask their locations and download crypto exchange apps through app stores. Sensor Tower only tracks the country from which the app was downloaded, without being able to further discern the users' actual nationality.”
OKX did not respond to requests for comment.