For years, MEXC was the back door of crypto. If you couldn't KYC, because you were in the US, the UK, mainland China, Singapore, Canada, or other restricted jurisdictions, MEXC let you in anyway. A VPN, an email, and you were trading. 10 BTC a day in withdrawals, no questions asked. By some industry estimates, unverified users were a substantial share of MEXC's book. The exchange built its business on that liquidity, under a tacit "don't ask, don't tell" arrangement that worked beautifully for everyone as long as the music kept playing.
Then MEXC stopped the music. Deposits and withdrawals are now gated by KYC. The 10 BTC unverified limit is gone. For users who can't or won't verify, the very population MEXC quietly courted for years, the only escape is a "Withdrawal Appeal Form" more invasive than the KYC it replaces. A classic bait-and-switch.
This is a betrayal. And the form is a privacy disaster waiting to happen.
The Implicit Deal They Just Broke
Exchanges have the right to change policies. There's a right way to off-ramping users who can’t/don’t want to KYC, and there's MEXC's way.
The right way is what Binance did in 2021: public announcement, phased multi-week window, non-KYC accounts switched to withdraw-only mode. No appeal form, no facial video, no hostage situation. Bitget did the same thing later. This is the standard playbook.
MEXC tore it up. No public timeline, no grandfathered withdraw-only window, no clean exit. Funds deposited under the old rules are now gated behind the new rules, and the only "remediation" is a process designed to make you surrender more personal data than full KYC would have demanded.
The cruelest part is what this does to the users MEXC most aggressively cultivated. A US, UK, Chinese, or Singaporean resident who deposited via VPN now faces two options: walk away, or file the appeal.
What the Form Actually Costs You
Here's what the appeal collects: a government ID, front and back. A live video of the user holding the ID alongside a piece of paper with their full name, ID number, MEXC account UID, and submission date. The face must be visible and unobstructed.
This is more revealing than ordinary KYC because of who fills it out. Ordinary KYC catches everyone: the $50 user, the $500,000 user, all in one bucket. The appeal is self-selecting: only users with enough money to bother filming themselves go through it. If the data leaks, it's a curated list of MEXC users with non-trivial balances, faces and IDs bundled together.
If you think this is paranoia, look at the recent record. The 2020 Ledger leak, names and addresses of 270,000 hardware wallet customers, is still being weaponized in 2026, having seeded six years of phishing campaigns and physical attacks. In May 2025, Coinbase disclosed that bribed contractors leaked KYC data on tens of thousands of users; the resulting social engineering wave cost users tens of millions directly and contributed to the year's spike in physical "wrench attacks." Jameson Lopp's database documented roughly 70 such attacks in 2025, nearly double 2024's count. A US home-invasion ring led by Gilbert St. Felix used leaked exchange KYC data to identify victims before resorting to torture and finger amputation to extract seed phrases.
A MEXC appeal-form leak would be qualitatively worse. Ledger's leak gave attackers names and addresses. Coinbase's gave them KYC details. The MEXC appeal form, leaked, would give all of that plus a clear video of the victim's face and, by implication of having submitted the appeal, confirmation that the victim has a balance worth filing for. Face for recognition or deepfake/ID theft. Home address from the ID. That's a doxx kit specifically curated to identify wealthy crypto holders, exactly the population physical attackers are now actively hunting.
For users in restricted jurisdictions, there's a second layer. The form is its own paper trail to the IRS, FinCEN, HMRC, or whichever local authority. If MEXC ever settles with a regulator the way Binance did with the DOJ, that data goes with the settlement. Users who filed the appeal trying to get out of MEXC will have given MEXC the documentation to hand them to their home government on the way out the door.
What has MEXC said about how this data is stored, encrypted, retained, or destroyed? Nothing of substance. No published audit of the appeal flow, no retention schedule, no breach-notification commitment. MEXC's $100M Guardian Fund covers trading-asset losses, not PII breaches. The Seychelles registration with operations in Dubai puts legal recourse for any future leak somewhere between "limited" and "none." If this data leaks, the affected users are screwed.
What Should Happen and What You Should Do Now
The fix isn't complicated. MEXC should immediately offer a grandfathered withdraw-only window for any account that existed before the policy change. That's the playbook every other major exchange has used in similar transitions. It satisfies any compliance regime the appeal form would. It protects users from leak risk. It generates orders of magnitude less PR damage. There is no defensible reason it isn't already in place.
MEXC built itself on the trust of users who specifically wanted to avoid centralized data hoards. It's now demanding deeper data submission from those exact users drawn to its honeypot and offering nothing in the way of security commitments in return. That isn't compliance. That's predation in a compliance costume.
If you're affected, be loud. Their calculation depends on you swallowing the loss quietly or filling out the form quietly. Don't.
submitted by /u/One-Assist4100
[link] [comments]
标题:MEXC 的隐性背叛:托付用户的“人质表格”会带来多高的风险?
在加密市场的昔日回声中,MEXC 曾被许多人视为“后门入口”:如果你无法完成KYC,或者身处美国、英国、内地中国、星加坡、加拿大等受限司法辖区,依然可以通过VPN、电子邮件等方式进入平台交易,日提款额度的上限被默许地抑或放宽。行业内的估算显示,未完成KYC的用户曾构成MEXC交易所资产池的重要一部分。这个模式建立在一个不成文的“不要问、不要讲”准则之上,随着市场的火热,流动性成为了它的共同语言。
然而,音乐终究会停。MEXC 现在对存取行为实行了强制的KYC,原本宽松的10 BTC 未验证提取额度也随之消失。对于那些不能或不愿意进行KYC的用户来说,他们长期被MEXC吸纳的那一群人,唯一的“逃离”竟然是一个比KYC更具侵入性的“Withdrawal Appeal Form(提现申诉表)”。这是一场典型的 bait-and-switch(钓鱼式的承诺变更)。
这是对用户的背叛,也是一次隐私灾难的前夜。
隐性协议被打破的时刻
交易所改变政策是允许的,但有没有一条“正确的退出线”?答案当然有,而且已经被行业中的主流做法所确立。2021 年以来,币安在不同行业监管压力下采用了公开公告、分阶段多周的过渡方案:对不愿进行KYC的账户逐步切换至仅限提取模式,而没有引入额外的人脸识别或谈判式的“人质”形式。Bitget 之后也执行了类似的做法。这才是行业的标准操作规程。
MEXC 选择了打散这条线的路径。没有公开的时间表、没有为未完成KYC的账户保留提取的窗口、也没有一个干净的退出机制。新旧规则之间的切换变成了“旧资金在新规则下被重新限制”的过程,而所谓的“补救”仅仅是一种要求用户提交比完整KYC 更为详尽个人信息的流程。
最残忍的,是这影响到了那些长期被MEXC“温柔拥抱”的用户——在美国、英国、中国大陆或新加坡的居民,通过VPN充值或交易的用户。现在他们面临两个选项:放弃,或提交申诉。
申诉表到底在成本上给用户带来了什么?
据公开信息,申诉表会收集以下材料:政府颁发的身份证件正反面、用户本人持身份证的实时视频,以及包含全名、身份证号、MEXC 账号 UID、提交日期的一张纸牌。视频中的人脸需清晰、无遮挡。
这远超常规KYC 的信息暴露。常规KYC 的对象包括最普通的普通用户、50美元的小额账户、以及年入数十万美元的高净值账户——但申诉表形成的是一种自选数据群:只有那些愿意为“申诉”花费时间、金钱以及隐私成本的用户才会参与进来。如果数据一旦泄露,就会形成一个“带着面孔和身份证件的高净值用户名单”的集合。
如果你觉得这只是阴谋论,看看近年的记录就能理解风险的放大。2020 年 Ledger 数据泄露事件中,约 27 万名硬件钱包用户的姓名和地址长期被滥用,用来发动钓鱼和物理攻击;2025 年 5 月,Coinbase 披露有经受贿的承包商泄露了大量 KYC 数据,直接造成数千万美元的损失,并推动了当年的现实世界“扳手攻击”的上升。Jameson Lopp 的数据库记录了 2025 年约 70 起此类攻击案例,几乎是 2024 年的两倍。美国一宗由 Gilbert St. Felix 领导的入室抢劫团伙,利用被泄露的 KYC 数据来定位受害者,然后实施拷打并切断种子短语的方式,成为恶性案例的极端体现。
如果 MEXC 的申诉表再次泄露,其后果将更为严重。Ledger 的泄露仅包含姓名和地址,而 Coinbase 的泄露则进一步扩展到了 KYC 细节——而 MEXC 的申诉表泄露则会在此基础之上,新增对当事人面部视频的直接暴露,以及通过“提交申诉”这一行为隐含的余额证明。这意味着潜在的攻击者将获得一个被识别、被识别身份与账户余额并存的“高净值人群”清单,正面为人脸识别、深度伪造或身份证盗用做准备的材料。
在受限司法辖区的用户还将承受另一层风险:申诉表本身也成为对 IRS、FinCEN、HMRC 或当地监管机构的独立数据线索。一旦未来监管机构要求披露,该信息就可能随之被提交,用户在尝试退出的同时,已经把个人资料交由平台处置,落入监管机构的记录之中。
MEXC 对数据存储、加密、保留或销毁的公开披露几乎没有实质性内容。所谓 Guardian Fund 主要覆盖交易资产损失,与个人可识别信息(PII)泄露无关。其在塞舌尔注册、并在迪拜运营的法律框架下,给予用户的救济渠道十分有限,一旦数据发生泄露,受影响的用户将处于极端不利地位。
应该怎么做,以及你现在该怎么办
解决方法其实并不复杂。MEXC 应立即为在政策变更前就存在的账户提供一个“ grandfathered withdraw-only” 窗口。这与行业内其他大型交易所在类似过渡期中的做法一致。这样既能满足合规要求,又能降低数据泄露的风险,减少公关损害,同时没有任何正当理由拒绝实施。
MEXC 曾以“拒绝数据集中化”的声誉吸引了一批用户,他们选择远离中心化的数据囤积。现在他们却要求这些用户提交更深入的数据,并且在安全承诺方面看不到相应的保障。这不是合规,这是披着合规外衣的掠夺性行为。
如果你正处于受影响的境地,请保持声音。交易所的计算基础依赖于你选择沉默或默默提交申诉。不要沉默。
结语
行业的信任建立在透明、可验证的合规路径之上。MEXC 的新机制在短期内看似便利,却以高风险的隐私暴露换来了短暂的“合规表象”。真正的合规应包含清晰的时间线、对老账户的保护、以及对数据安全的强力承诺和公开审计。当前的做法不仅损害了用户信任,也让那些在早期就是“无KYC 利益点”的用户陷入更深的风险之网。
如果你愿意分享你的经历或观点,请在下方留言区留下你的声音。让我们共同推动行业建立更为健康、透明的退出机制,以及对个人数据的更严密保护。