You find a swap service that says "no KYC." You read it twice to make sure. No account needed. No ID. Just send your coins, get your coins. Simple.

So you send $2,000 in Bitcoin.

And then nothing happens. Your swap sits at "processing" for an hour. Then two. Then you get an email that starts with something like "Dear valued user, as part of our compliance obligations..." and your stomach drops. They want your passport. A selfie. Proof of where the money came from. Your coins are frozen until you hand over everything they ask for.

Welcome to shotgun KYC crypto, the bait and switch that's burned thousands of people and locked up millions of dollars worth of cryptocurrency. And the worst part? It's completely legal in most jurisdictions.

I've been watching this pattern play out since at least 2019, and honestly, it's only getting worse. More services are doing it. More money is getting stuck. And most people don't even know the term for what just happened to them.

So let's talk about what shotgun KYC actually is, why exchanges pull this move, and (most importantly) what you can do about it before your coins end up in compliance limbo.

What Does "Shotgun KYC" Actually Mean?

The term isn't in any law book or regulatory framework. You won't find it in the FATF guidelines or the EU's MiCA regulation. It's a phrase coined by frustrated crypto users who kept running into the same infuriating pattern.

Here's what it describes: a crypto exchange or swap service that markets itself as "no KYC" or "minimal KYC," accepts your deposit, and then retroactively demands full identity verification before they'll release your funds or complete the trade.

The privacy directory KYCnot.me actually rates services with a "Shotgun KYC level" to warn people that identity checks might be triggered after you've already sent your coins. The fact that this has become an official classification on a major crypto privacy resource tells you something about how widespread the problem is.

Think of it like a restaurant that lets you eat the entire meal, then tells you they need to see three forms of ID before you can leave. Except in this version, you haven't even gotten the meal yet. They've just taken your money and are holding it behind the counter while asking you to prove you're allowed to eat here.

A commenter on Hacker News described it perfectly: exchanges "will allow you to deposit but as soon as you show signs of using that money they take it as hostage until you prove you are not a criminal."

That's shotgun KYC in a nutshell.

How the Trap Works, Step by Step

Here's the typical flow, and I want to be specific because understanding the mechanics helps you spot the red flags before you fall into this.

Step 1: You find an instant swap service. It says "no registration" or "no KYC required." Maybe it's recommended on a forum or a crypto comparison site. Looks clean.

Step 2: You create a swap. Pick your pair (say BTC to ETH), enter a destination address, and the service gives you a deposit address to send your coins to.

Step 3: You send your crypto. The blockchain confirms the transaction. Your coins are now sitting on an address controlled by the service. You don't control them anymore.

Step 4: The service's AML risk engine kicks in. It runs your sending address through blockchain analytics tools (companies like Chainalysis and Elliptic provide these). The engine checks whether your address has any history touching mixers, darknet markets, sanctioned entities, gambling platforms, stolen funds, or anything else that trips their risk scoring algorithm.

Step 5a (the good outcome): Your risk score comes back low. The swap completes in minutes. You never even know the screening happened. Life goes on.

Step 5b (the bad outcome): Something flags. Maybe your coins passed through a mixing service three hops back. Maybe you received funds from someone who once interacted with a sanctioned address. Maybe the amount is just large enough to trigger enhanced scrutiny. Whatever the reason, your swap is now "suspended."

Step 6: You get an email or a support message asking for government issued ID, a selfie holding your ID, proof of address, and sometimes detailed proof of where the funds originated. Screenshots of other exchange accounts. Pay stubs. Bank statements.

Step 7: Your funds sit frozen while you either comply (which can take days or weeks of back and forth) or refuse (in which case your money might sit there for months, or you might never see it again).

That's it. That's the whole scam. And I call it a scam knowing full well that the exchanges will tell you it's "regulatory compliance." But when you market a service as no KYC and then demand KYC after you have someone's money? Come on.

Real Cases: This Isn't Theoretical

Let me give you some actual examples, because I think it's important to understand that this isn't some edge case that happens to one person every few years.

The $440,000 ChangeNOW Dispute

This is probably the most well known case. A Bitcointalk thread titled "SCAM, Changenow.io illegally holding 440,000$" documents a user who claims approximately $440,000 equivalent was frozen after initiating a swap through ChangeNOW. The service responded publicly, saying the transaction was suspended pending proof of rightful ownership and AML compliance checks.

The thread attracted multiple other users sharing similar experiences. The pattern was always the same: deposit accepted, operation suspended, KYC demanded, funds locked for weeks or indefinitely.

ChangeNOW's own position was that no complaining users had successfully completed the required verification to prove ownership, and the funds would remain suspended until that happened. Users countered that the requirements were unreasonable or impossible to meet.

Four hundred and forty thousand dollars. Frozen. On a service marketed as "no KYC."

FixedFloat Complaints

Trustpilot reviews for FixedFloat (ff.io) show a similar pattern. Plenty of positive reviews from people whose swaps went through fine (because most do, which is part of what makes this so insidious). But mixed in are recurring complaints about funds "pending" or "on hold" for AML review, requests for additional verification, and long delays when users refuse to hand over ID documents.

Social media posts describe "frozen funds, months of silence with no refund" naming FixedFloat specifically.

Exolix and StealthEX

Same story, different logos. Transactions accepted, shown as "processing" or "on hold," then support asks for KYC and source of funds documentation. Users report no prior warning that such checks could be triggered, despite the services marketing themselves as no KYC.

Across Reddit (r/CryptoCurrency, r/Bitcoin), Bitcointalk, and various review sites, the complaints about these services follow an eerily identical pattern. It's almost like they're all using the same compliance playbook. (Spoiler: they basically are.)

The Aggregate Picture

There's no central database tracking how much crypto has been frozen through shotgun KYC. Individual cases range from a few hundred dollars to hundreds of thousands. The $440,000 ChangeNOW case is the most dramatic, but forum evidence suggests the cumulative frozen volume across all these services is easily in the millions of dollars over the past several years.

And those are just the people who bothered to post about it. How many people lost $500 or $1,000 and just wrote it off rather than fighting it publicly? I'd guess the real number is several times larger than what we can see on forums.

Why Do Exchanges Do This?

Look, I want to be fair here. Not every exchange that does shotgun KYC is acting in bad faith. Some of them are genuinely caught between a rock and a hard place. But understanding why it happens doesn't make it less frustrating.

The Regulatory Squeeze

The Financial Action Task Force (FATF) has been pushing since 2019 for Virtual Asset Service Providers (that's the official term for crypto exchanges) to implement full KYC, ongoing transaction monitoring, and the Travel Rule (sharing sender and recipient info for transfers above certain thresholds).

In the US, that threshold is $3,000. In the EU under the latest regulations, it's effectively zero euros for transfers between obliged entities. Meaning every single transaction needs identity information attached.

The EU's MiCA regulation, combined with the broader AML/CFT package, is pushing full licensing and supervision of crypto services. Even crypto to crypto services that used to fly under the radar are now being pulled into the compliance net.

Blockchain Analytics

Companies like Chainalysis and Elliptic have built massive databases that map blockchain addresses to known entities. Mixers, darknet markets, sanctioned wallets, ransomware addresses, scam operations. Their tools assign risk scores to wallet addresses based on exposure to these categories.

When you send crypto to an exchange, these tools analyze not just your address but its entire transaction history. How many hops back they look varies, but some go several layers deep. If your coins touched a mixing service three transactions ago, that might still flag you.

The risk scoring model weighs factors like sanctions exposure, mixing history, darknet links, and stolen fund traces, then spits out a score. Exchanges set their own thresholds for what triggers a hold versus what passes through.

The Cheap Way Out

Here's where I get a bit cynical. Pre screening every deposit before accepting it costs more and requires more sophisticated infrastructure. It's easier (and cheaper) to accept everything, run the analytics on the backend, and only deal with the flagged transactions.

From a pure business perspective, most deposits are clean. Maybe 2 to 5% get flagged. So if you handle 95% of transactions instantly with no friction, and freeze the other 5% and make those people deal with compliance, you've built a service that looks great to most users while pushing all the pain onto a small minority.

The problem is that "small minority" includes people who did nothing wrong. Maybe their coins just had an unlucky transaction history.

Upstream Liquidity Providers

Here's something most people don't realize. Even if a swap service itself wants to be permissive, it often relies on upstream liquidity providers (bigger exchanges or OTC desks) to actually execute the other side of the swap. Those liquidity providers have their own AML requirements and can independently freeze funds and demand KYC.

So you might be subject to compliance requirements from a third party you never interacted with, never agreed to terms with, and didn't even know existed. KYCnot.me specifically warns about this.

Signs an Exchange Might Hit You With Shotgun KYC

After spending way too much time reading forum complaints and reviewing swap services, I've noticed some pretty reliable warning signs.

The Terms of Service Tell on Themselves

Almost every service that does shotgun KYC has language buried in their terms that says something like "we reserve the right to request identity verification at any time, at our sole discretion." That phrase ("sole discretion") is the giveaway. It means they can freeze your money whenever they feel like it and there's nothing contractually you can do about it.

Vague or Missing AML Policy

If a service doesn't clearly explain what happens when a transaction is flagged, that's a red flag. Specifically, look for whether they answer these questions:

  • What triggers an AML hold?
  • Is KYC required for refunds on flagged transactions?
  • How long can they hold your funds?
  • What happens if you refuse to provide documents?

If you can't find clear answers to those questions before you deposit, assume the worst.

"No KYC" Marketing With an Asterisk

If a service prominently advertises "no KYC" but then has fine print about "selective verification" or "risk based compliance," you're looking at a shotgun KYC service. ChangeNOW is a textbook example. Formerly strongly no KYC, it now applies what it calls "selective verification" where certain transactions trigger KYC requests after deposit.

Large Transaction Amounts

The bigger your swap, the more likely it gets flagged. Most services have internal thresholds (they won't tell you what they are) above which enhanced scrutiny kicks in automatically. If you're swapping more than a few thousand dollars worth, your odds of getting hit with retroactive KYC go up significantly.

Coins With History

If you're swapping coins that have passed through mixers, privacy protocols, gambling platforms, or any service that blockchain analytics companies consider "high risk," expect trouble. Even coins that are several transactions removed from these services can carry a tainted risk score.

Pre Screening vs Post Screening: Why It Matters

This is the part that really gets me. Because the technology to avoid shotgun KYC already exists. Exchanges just choose not to use it (or choose the cheaper alternative).

Post Screening (The Shotgun KYC Model)

Accept deposits first. Run AML checks after. If something flags, freeze the user's money and demand documents. This is how most instant swap services operate.

The user bears all the risk. Their money is already gone. They have no bargaining power. They can either comply with whatever the service asks or hope their coins get returned eventually (minus fees, in many cases).

Pre Screening (The Approach That Actually Makes Sense)

Screen the transaction before accepting the deposit. If the user's coins pass the AML check, proceed with the swap. If they don't, decline the transaction before the user sends anything. No funds frozen. No documents demanded. No hostage situation.

Blockchain analytics tools already support this. Wallet screening can assess the risk of an address "before (and sometimes after) a transaction takes place," returning a risk assessment in seconds. The technology is there. It's fast. It works.

So why don't most services use it?

Honestly? Because it's easier to just freeze the 5% and make them deal with it. Pre screening means you might turn away business. Post screening means you collect the deposit first and worry about compliance later. And once you have someone's money, you hold all the cards.

The CoinVast Approach: Screen First, Not After

This is where I want to talk about what CoinVast does differently, because it directly addresses the shotgun KYC problem.

CoinVast runs AML compliance screening before the swap starts. Not after you deposit. Before. Here's what that actually looks like in practice.

When you initiate a swap on CoinVast, the system checks your sending address against AML risk databases before you send a single satoshi. The screening happens while you're still in control of your coins.

If you pass: The swap proceeds. And here's the critical part. Once you pass and send your coins, the swap is final. CoinVast doesn't come back later with an "actually, we need your passport." There's no retroactive KYC. No surprise holds. The deal is done.

If you don't pass: Your coins never leave your wallet. CoinVast doesn't accept the deposit. If for some reason coins were already sent, they auto return to your refund address. No documents demanded. No compliance questionnaire. No hostage negotiation. You just get your money back and move on.

This is what pre screening looks like when it's done right. The user never loses custody of their funds unless the swap is going to complete. There's no gray area where your money is sitting on someone else's address while they decide whether to give it back to you.

Compare that to the shotgun KYC model: you send your coins, hope for the best, and if the AML gods aren't smiling on you today, your money is frozen and you're stuck filling out forms for weeks.

I honestly don't understand why more services don't work this way. The technology exists. The screening tools are the same ones every other exchange uses. The only difference is when you run the check. Before the user sends money, or after you already have it.

One of those options respects the user. The other one doesn't.

How to Protect Yourself From Shotgun KYC

Whether you use CoinVast or not, here are some practical steps to reduce your risk of getting hit with retroactive KYC demands.

1. Check KYCnot.me Before Using Any Swap Service

This privacy directory rates services by KYC strictness and specifically flags "Shotgun KYC" levels. If a service has that label, you know what you're getting into. Or more accurately, what your coins might be getting stuck in.

2. Read the Terms of Service (Seriously)

I know nobody reads terms of service. But spend five minutes looking for the words "sole discretion," "reserve the right to request verification," and "funds may be held pending review." If you find those phrases, assume your deposit can be frozen at any time.

3. Test With Small Amounts First

Never send a large amount to a swap service you haven't used before. Send a small test transaction first. See how fast it processes. Check if there are any unusual delays. If a $50 test swap goes through in 10 minutes, that's a good sign (though not a guarantee for larger amounts).

4. Avoid Sending "Tainted" Coins to Centralized Services

If your coins have touched mixers, gambling sites, or any address that blockchain analytics companies flag as high risk, don't send them to a centralized swap service. Those coins will almost certainly trigger an AML alert. This applies even if the risky transaction was several hops back in the chain.

5. Don't Keep Funds on Exchanges

Use self custody wallets and only move funds to exchanges for the minimum time needed to complete a trade. The longer your money sits on someone else's platform, the more opportunities there are for compliance reviews to freeze it.

6. Prefer Services With Pre Screening

Look for services that explicitly offer AML screening before you deposit. Services that commit to "no KYC after AML check" for approved addresses are much safer than those that screen after the fact. CoinVast does this automatically, but there are a handful of other services exploring similar models.

7. Diversify Platform Risk

Don't put all your eggs in one basket. If you're using swap services, spread your activity across multiple platforms so a single compliance issue doesn't freeze everything you own.

What Happens If You Refuse to KYC After a Freeze?

This is the question everyone asks once they're already stuck. The honest answer isn't great.

Most exchanges' user agreements give them broad discretion to block access when AML/KYC obligations aren't met. In practice, if you refuse to complete KYC and the exchange has decided it's mandatory for your account, you might permanently lose practical access to those funds.

Some platforms eventually close the account and permit a one time withdrawal to a wallet, but this often requires at least minimal identification. In stricter regulatory environments, if funds are suspected to be connected to illicit activity (even if they're not), the exchange may be required to hold them indefinitely and potentially transfer them to law enforcement.

The ChangeNOW $440,000 case is a worst case example. Users who refuse to complete KYC simply don't get their money back. The service says it's complying with regulations. The users say the requirements are unreasonable. The money just sits there.

This is exactly why pre screening matters so much. Once your coins are frozen on someone else's platform, you have almost no bargaining power. The service controls the money, sets the rules, and decides the timeline. Your only real options are comply, hire a lawyer, or walk away from your funds.

None of those options are good.

The Regulatory Picture Is Only Getting Tighter

If you're hoping this problem goes away, I have bad news. The regulatory trend globally is toward more KYC, more screening, and lower thresholds for triggering compliance checks.

The EU's MiCA regulation is pushing full licensing of crypto services. The FATF Travel Rule is being implemented more broadly. US enforcement (FinCEN, OFAC) continues pressuring exchanges to block dealings with sanctioned entities and report suspicious activity. Even non US services often use US linked banks or infrastructure, which means they adopt US level AML controls whether they want to or not.

Blockchain analytics companies are getting more sophisticated. Their databases grow daily. Addresses that were "clean" a year ago might get retroactively flagged as new connections to illicit activity are discovered. Batch wallet screening (where services re check addresses periodically) means your account can be flagged weeks or months after you deposited.

The number of services that can genuinely operate with zero KYC is shrinking fast. And the services that market themselves as "no KYC" while quietly implementing shotgun KYC are growing. That gap between marketing and reality is where people lose money.

Why Pre Screening Is the Future (Whether Exchanges Like It or Not)

Here's my prediction, and I'll happily eat my words if I'm wrong: pre screening will become the industry standard within the next few years. Not because exchanges want to do it, but because regulators and users will force them to.

From a regulatory perspective, pre screening is actually better compliance. You're catching risky transactions before they enter your system, not after. That's cleaner for the exchange's books, cleaner for regulatory reporting, and eliminates the messy situation of holding frozen funds in compliance limbo for months.

From a user perspective, it's obviously better. You either pass and your swap completes, or you don't pass and you keep your coins. No gray area. No hostage situation. No three week email chain with a compliance department.

CoinVast built its entire model around this idea. Screen before, not after. And if someone doesn't pass screening, return their coins automatically to the refund address. No documents. No delays. Just your money back.

That seems like such an obvious approach that I'm genuinely puzzled why more services haven't adopted it. But then I remember the economics of it. Accepting deposits first and screening later means you collect more revenue from the 95% of clean transactions. Pre screening means you might lose some edge cases who would have been fine but got a borderline score.

But at what cost? Lost trust? Forum threads full of angry users? A reputation for freezing people's money? I think the math works out in favor of pre screening, and CoinVast is proving that with a model that actually works.

Frequently Asked Questions

Is shotgun KYC legal?

Unfortunately, yes. Most jurisdictions require exchanges to implement "risk based" KYC and AML controls, which gives them broad discretion to request identity verification at any point. The legality of the practice doesn't make it any less frustrating for users who were told no KYC was needed.

Can I get my coins back if I refuse KYC?

It depends on the service and the jurisdiction. Some will return your coins to the sending address after a lengthy review process. Others will hold them indefinitely. In the worst cases, funds are effectively confiscated. Always check the service's refund policy (if they have one) before depositing.

Why do "no KYC" services still freeze funds?

Because "no KYC" usually means "no KYC unless our AML screening flags your transaction." These services use blockchain analytics tools that run after your deposit arrives. If your coins have any connection to addresses flagged as high risk, the service triggers a compliance review and demands verification.

How does CoinVast avoid shotgun KYC?

CoinVast screens deposits before the swap begins, not after. If your sending address passes AML checks, the swap proceeds and is final. If it doesn't pass, your coins are returned to your refund address automatically. No identity documents are ever requested.

What triggers AML flags on swap services?

Common triggers include large transaction amounts, coins that have passed through mixing services, connections to sanctioned addresses, darknet market history, stolen fund traces, and unusual transaction patterns. Each service sets its own thresholds and risk tolerance.

How much crypto has been frozen through shotgun KYC?

There's no official number, but documented cases range from a few hundred dollars to $440,000 (the ChangeNOW case). Forum evidence suggests cumulative frozen volume across all swap services is in the millions of dollars. The real number is likely higher since many people don't report publicly.

The Bottom Line

Shotgun KYC is one of those problems that exists because it's profitable for the exchanges that do it. They get to market "no KYC" to attract privacy conscious users, then demand full verification once they have your money. It's a bait and switch, and the only people paying the price are the users.

The technology to fix this exists right now. Pre deposit AML screening. Check the coins before accepting them. Return them if they don't pass. Don't hold people's money hostage.

CoinVast does this. Maybe more services will follow eventually. But until then, be careful where you send your crypto. Read the fine print. Test with small amounts. And if something feels off about a service's compliance promises, trust your gut and keep your coins in your own wallet.

Your crypto, your keys, your choice. Don't let a swap service turn that into their crypto, their rules, your problem.