MEXC’s Quiet Betrayal, and the Hostage Form That Makes It Worse

For years, MEXC was the back door of crypto. If you couldn't KYC, because you were in the US, the UK, mainland China, Singapore, Canada, or other restricted jurisdictions, MEXC let you in anyway. A VPN, an email, and you were trading. 10 BTC a day in withdrawals, no questions asked. By some industry estimates, unverified users were a substantial share of MEXC's book. The exchange built its business on that liquidity, under a tacit "don't ask, don't tell" arrangement that worked beautifully for everyone as long as the music kept playing.

Then MEXC stopped the music. Deposits and withdrawals are now gated by KYC. The 10 BTC unverified limit is gone. For users who can't or won't verify, the very population MEXC quietly courted for years, the only escape is a "Withdrawal Appeal Form" more invasive than the KYC it replaces. A classic bait-and-switch.

This is a betrayal. And the form is a privacy disaster waiting to happen.

The Implicit Deal They Just Broke

Exchanges have the right to change policies. There's a right way to off-ramping users who can’t/don’t want to KYC, and there's MEXC's way.

The right way is what Binance did in 2021: public announcement, phased multi-week window, non-KYC accounts switched to withdraw-only mode. No appeal form, no facial video, no hostage situation. Bitget did the same thing later. This is the standard playbook.

MEXC tore it up. No public timeline, no grandfathered withdraw-only window, no clean exit. Funds deposited under the old rules are now gated behind the new rules, and the only "remediation" is a process designed to make you surrender more personal data than full KYC would have demanded.

The cruelest part is what this does to the users MEXC most aggressively cultivated. A US, UK, Chinese, or Singaporean resident who deposited via VPN now faces two options: walk away, or file the appeal.

What the Form Actually Costs You

Here's what the appeal collects: a government ID, front and back. A live video of the user holding the ID alongside a piece of paper with their full name, ID number, MEXC account UID, and submission date. The face must be visible and unobstructed.

This is more revealing than ordinary KYC because of who fills it out. Ordinary KYC catches everyone: the $50 user, the $500,000 user, all in one bucket. The appeal is self-selecting: only users with enough money to bother filming themselves go through it. If the data leaks, it's a curated list of MEXC users with non-trivial balances, faces and IDs bundled together.

If you think this is paranoia, look at the recent record. The 2020 Ledger leak, names and addresses of 270,000 hardware wallet customers, is still being weaponized in 2026, having seeded six years of phishing campaigns and physical attacks. In May 2025, Coinbase disclosed that bribed contractors leaked KYC data on tens of thousands of users; the resulting social engineering wave cost users tens of millions directly and contributed to the year's spike in physical "wrench attacks." Jameson Lopp's database documented roughly 70 such attacks in 2025, nearly double 2024's count. A US home-invasion ring led by Gilbert St. Felix used leaked exchange KYC data to identify victims before resorting to torture and finger amputation to extract seed phrases.

A MEXC appeal-form leak would be qualitatively worse. Ledger's leak gave attackers names and addresses. Coinbase's gave them KYC details. The MEXC appeal form, leaked, would give all of that plus a clear video of the victim's face and, by implication of having submitted the appeal, confirmation that the victim has a balance worth filing for. Face for recognition or deepfake/ID theft. Home address from the ID. That's a doxx kit specifically curated to identify wealthy crypto holders, exactly the population physical attackers are now actively hunting.

For users in restricted jurisdictions, there's a second layer. The form is its own paper trail to the IRS, FinCEN, HMRC, or whichever local authority. If MEXC ever settles with a regulator the way Binance did with the DOJ, that data goes with the settlement. Users who filed the appeal trying to get out of MEXC will have given MEXC the documentation to hand them to their home government on the way out the door.

What has MEXC said about how this data is stored, encrypted, retained, or destroyed? Nothing of substance. No published audit of the appeal flow, no retention schedule, no breach-notification commitment. MEXC's $100M Guardian Fund covers trading-asset losses, not PII breaches. The Seychelles registration with operations in Dubai puts legal recourse for any future leak somewhere between "limited" and "none." If this data leaks, the affected users are screwed.

What Should Happen and What You Should Do Now

The fix isn't complicated. MEXC should immediately offer a grandfathered withdraw-only window for any account that existed before the policy change. That's the playbook every other major exchange has used in similar transitions. It satisfies any compliance regime the appeal form would. It protects users from leak risk. It generates orders of magnitude less PR damage. There is no defensible reason it isn't already in place.

MEXC built itself on the trust of users who specifically wanted to avoid centralized data hoards. It's now demanding deeper data submission from those exact users drawn to its honeypot and offering nothing in the way of security commitments in return. That isn't compliance. That's predation in a compliance costume.

If you're affected, be loud. Their calculation depends on you swallowing the loss quietly or filling out the form quietly. Don't.