How Poland Became a Haven for Crypto Crime
A Legal Analysis of Poland’s Presidential Decision and the Real Threats to Financial Security
I. Rhetoric Versus Reality
The President of the Republic of Poland announced his decision to veto the Crypto-Assets Market Act. Rafał Leśkiewicz, the Presidential Press Secretary, conveyed the rationale in the following terms:
“Today, the President of the Republic of Poland has decided to veto the Crypto-Assets Market Act. President Karol Nawrocki exercises the constitutional prerogative of veto only when legislation threatens the freedoms of Poles, their property, and the stability of the state. This law creates precisely such dangers. Why? Because it allows the government to shut down cryptocurrency company websites with a single click. The domain-blocking provisions lack transparency and invite abuse. When the government shuts down a site, people lose access to their digital assets. This cannot be allowed. Most European Union member states employ a simple warning list that protects consumers without blocking entire platforms.”
He continued: “The second problem is the sheer scope of this regulation, and consequently the opacity of its adopted solutions. While the Czech Republic, Slovakia, and Hungary implemented provisions spanning a few or a dozen pages, the Polish law exceeds one hundred. Over-regulation is a direct path to pushing companies abroad—to the Czech Republic, Lithuania, or Malta—rather than creating conditions for them to earn money and pay taxes in Poland. The third issue is the level of supervisory fees. They have been set at a threshold that will prevent small firms and startups from developing, while favoring foreign corporations and banks. This inverts the logic—it kills a competitive market and poses a serious threat to innovation.”
The rhetoric possesses undeniable persuasive force. Defending citizens’ freedom and property is a message that resonates regardless of political affiliation. One would be hard-pressed to find a more compelling narrative than that of a government threatening fundamental individual rights. The problem, however, is that in practice the president is defending the freedom of fraudsters to conduct operations that systematically destroy the assets of the very citizens he claims to protect—while undermining the stability of the financial system his veto was ostensibly meant to safeguard.
After nearly two decades of practice in international financial law and cryptocurrency market regulation, having observed this industry’s evolution from its quasi-anarchist origins to its current phase of mass commercialization, I rarely encounter a political decision so fundamentally divorced from market reality. This is not a matter of differing views on regulatory details—such differences are natural and healthy in a democratic legislative process, and I myself have publicly criticized the same provisions the President cites in announcing his veto. This is about a chasm between declared objectives and actual consequences so glaring that it demands detailed explanation.
II. The Real Threat: Poland’s VASP Registry as a Tool for Legitimizing Crime
The presidential argument entirely ignores the cardinal problem the law was designed to solve. Poland’s registry of entities providing services in virtual currencies—known as VASP, for Virtual Asset Service Provider—has become, in effect, an instrument for conferring an appearance of legitimacy upon criminal organizations operating on a global scale, organizations that exploit cryptocurrencies such as Bitcoin and Tether, smart contracts, and flash loans to launder money on an industrial level.
To understand the scale of the problem, we must first understand how low the barriers to entry into Poland’s VASP registry actually were. Under procedures in effect since 2021, an entrepreneur seeking registration needed to satisfy only a handful of basic requirements: register a business in Poland, submit an electronic application along with a declaration of meeting the legal conditions, and pay a stamp duty of 616 złoty—roughly one hundred fifty dollars.
That was all. One hundred fifty dollars and an electronic form. There was no minimum capital requirement. No mandatory professional liability insurance. No requirement for physical infrastructure in Poland. No detailed verification of funding sources. No examination of the actual nature of the business being conducted. It was enough to rent a virtual office—a correspondence address serviced by a company providing such services for a few dozen złoty per month—and one could commence operations “in Poland” while physically located in Cambodia, the Seychelles, or anywhere else on earth.
The “no criminal record” requirement sounded impressive, but in practice it rested entirely on the applicant’s own declaration. The registry authority—the Tax Administration Chamber in Katowice—had no obligation to verify these declarations. Criminal records were not checked. The identities of beneficial owners were not verified beyond their entries in the beneficial ownership registry, which were themselves merely declaratory. The entire system rested on a clause: “I am aware of criminal liability for submitting a false declaration”—which, for international criminal organizations, presented no obstacle whatsoever.
The “knowledge and experience” requirement was similarly constructed. The law considered this condition satisfied if the applicant had completed a course covering legal or practical issues related to virtual currency activities, or had performed activities related to such business for at least one year. But no supporting documents needed to be attached to the application—a declaration sufficed. The registry authority verified neither the quality of courses nor actual experience.
Registry entry occurred automatically within fourteen days of submitting a formally correct application. There was no verification procedure. No due diligence review. No possibility of refusing entry due to doubts about the nature of the business or the applicant’s intentions. If the form was filled out correctly, the fee paid, and the declaration attached, entry had to follow.
The result was predictable. Poland’s VASP registry became an oasis for various experts in gray- and black-market operations. A criminal organization could obtain a Polish registration within days, then deploy it as a tool for building trust with potential victims worldwide. “We are registered in Poland, a European Union member state. We are subject to European regulations. You can trust us.” And in reality, behind this Polish legitimacy lurked a money-laundering operation on a scale of billions of dollars.
III. The Case of Huione Group: When a Polish “License” Serves to Launder Billions
The case of Huione Group—a Cambodian financial conglomerate sanctioned by the U.S. Treasury Department in October 2025—illustrates this mechanism so dramatically that, were it not documented by an organ of the United States government, it might be dismissed as literary fiction.
Huione Group is a network of entities registered across various jurisdictions, offering comprehensive services for criminals. From the Haowang Guarantee online marketplace—where one could purchase equipment for conducting fraud, including devices for detaining victims such as electronic shackles, stun guns, and tear gas—to the money-laundering services of Huione Pay PLC, which accepted both traditional currencies and cryptocurrencies. The company even created its own stablecoin, USDH, marketed as “impossible to freeze” and “unrestricted by traditional regulatory agencies”—in other words, designed specifically to prevent law enforcement from recovering stolen funds.
According to FinCEN’s detailed analysis in its sanctions document, Huione Group received at least $37.6 million in cryptocurrency stolen by hackers working for North Korea, including funds from thefts committed by the Lazarus Group—a unit sanctioned by OFAC and linked to the Reconnaissance General Bureau, the regime’s primary foreign intelligence organization in Pyongyang. These funds, according to intelligence assessments, were used to finance the nuclear weapons and ballistic missile program.
Additionally, Huione Group laundered at least $36 million derived directly from so-called “pig butchering” scams and approximately $300 million from various forms of cybercrime. In total, between August 2021 and January 2025, Huione Group processed at least $4 billion in illicit funds. Chainalysis estimated that Haowang Guarantee processed at least $49 billion in cryptocurrency transactions since 2021.
And now the crucial point that the President apparently does not understand—or does not wish to understand:
Huione Crypto, the Huione Group component responsible for cryptocurrency exchange services, was registered in Poland as an entity providing services in the field of virtual currencies.
According to U.S. federal authorities:
“Huione Crypto is registered in Poland under the name Huione Crypto Spółka Z Ograniczoną Odpowiedzialnością and is also registered as a Money Services Business (MSB) with FinCEN. However, despite its registration in Poland and the United States, FinCEN assesses that Huione Crypto actually operates in and from Cambodia, and FinCEN has found no evidence consistent with activity in the United States. FinCEN assesses that the ‘Group’ referenced in Huione Crypto’s previously used Standard Terms and Conditions, which does not appear on its new website, refers to Huione Group, and that Huione Crypto’s CVC services share infrastructure with Huione Pay PLC and Haowang Guarantee, and collectively comprise a single organization.“
Let us read that sentence again. The largest illegal cryptocurrency operator in history, which processed billions of dollars derived from thefts on behalf of North Korea, “pig butchering” scams, and other forms of cybercrime, possessed a Polish VASP “license”—or more precisely, a registry entry that could be marketed as “regulated activity in Poland.” Forced labor camps in Southeast Asia, where thousands of human trafficking victims were held and compelled to conduct fraud, operated under Polish regulatory legitimacy.
For one hundred fifty dollars in stamp duty.
This is not a case of a single company that slipped through Polish procedures by exploiting some legal loophole. This is a systematic problem with the Polish supervisory system, which was unable—because it lacked the tools—to distinguish honest entities from international criminal organizations. Poland’s VASP registry became an instrument for conferring an appearance of legality upon criminal operations on a global scale. And the president, with his veto, proposes maintaining precisely this system.
IV. The Scale of Fraud: An Economics of Tragedy
Before proceeding to a detailed analysis of the presidential arguments, it is necessary to understand the economic scale of the problem that Poland’s law was meant to address. According to FBI data contained in the 2024 Internet Crime Report, losses suffered by American citizens from cryptocurrency-related investment fraud amounted to over $9.27 billion in that single year. The Federal Trade Commission estimates that in 2024 alone, more than $1.42 billion was lost by American consumers in various forms of fraud where cryptocurrency served as the payment method.
Chainalysis estimated that in 2024, the value received by identified illicit cryptocurrency addresses amounted to at least $40.9 billion. This is a lower-bound estimate, as the methodology identifies only those addresses already classified as illicit. Thefts from cryptocurrency exchanges in 2024 totaled $2.2 billion. Ransomware payments reached $813 million. Cryptocurrency flows linked to international sanctions amounted to $15.8 billion—thirty-nine percent of all illicit transactions.
These figures are not statistical abstractions. Behind every billion dollars are thousands of specific people who lost their life savings in ways often so psychologically sophisticated that they strain belief. Among them are Poles—precise figures are unavailable, but proportional to population, losses may reach billions of złoty annually. These are the life savings of tens of thousands of Polish families, vanishing into the pockets of international fraudsters.
I have written extensively about the history of these scams in previous articles:
- The Butcher’s Ledger. Inside the industrial machinery of pig butchering romance fraud – where lives were stolen, billions were made, and nothing was left to chance
- When the State Calls for Your Money: Anatomy of the Perfect Fraud
- The Sheep and the Shepherds: Inside BitClub’s $722 Million Mining Mirage
- CoinPlex and the Psychology of Click-Button Scams
V. What the Law Was Actually Meant to Fix
The Crypto-Assets Market Act that President Nawrocki vetoed aimed at a fundamental reconstruction of the Polish supervisory system. This was not “over-regulation” or “stifling innovation,” as the President suggests. It was an attempt to create a system that actually verifies entities before allowing them to accept billions of złoty from Polish clients.
The key changes specifically targeted the gaps that enabled Huione Group and similar entities to use Poland’s registry as a tool for legitimizing crime. The law introduced genuine capital requirements—entities would be obligated to maintain capital proportional to the scale of their operations, effectively excluding front operations run by entities without real resources. It introduced mandatory professional liability insurance to protect clients in case of platform problems. It required the employment of qualified compliance personnel with documented experience in anti-money laundering.
But above all—and this is crucial—the law created mechanisms for genuine verification and ongoing supervision. The Polish Financial Supervision Authority, known as KNF, would receive powers to conduct regular inspections, verify procedures, and test systems. Entities would have regular reporting obligations that would enable identification of irregularities before they escalated into mass-scale fraud. This represents a fundamental difference from the current system, where registration occurs automatically upon form submission and supervision is essentially nonexistent.
Since December 30, 2024, the Director of the Tax Administration Chamber in Katowice has not been accepting new applications for entry into the VASP registry. This decision results from the direct application of the MiCA Regulation (Markets in Crypto-Assets Regulation) and the Transfer of Funds Regulation. In a communication from late December 2024, the registry authority unambiguously stated that there is no legal basis for registering new entities, as higher EU standards have applied directly since that date. However, entities that obtained registry entry before December 30, 2024, may continue operations under the previous rules, though only during the transitional period.
Article 143(2) of the MiCA Regulation provides for an eighteen-month transitional period, enabling entities providing crypto-asset services (formerly VASPs) to continue operations under previous rules until July 1, 2026, or until obtaining CASP (Crypto-Asset Service Provider) authorization or receiving a refusal—whichever comes first.
VI. The First Argument: The Domain-Blocking Mechanism
The President claims that the provisions enable “shutting down websites with a single click.” This fundamentally misrepresents the nature of the regulation. The domain-blocking mechanism was detailed in Articles 66–76 of the law and encompasses a verification system divided into two fundamentally different tracks.
The first, automatic, applies exclusively to entities conducting operations without the required authorization—which is a criminal offense punishable by up to five years’ imprisonment—after KNF files a criminal complaint and publishes information about that complaint on a dedicated KNF webpage. This is not “one click” but rather a consequence of proceedings in which KNF must have justified grounds for suspecting commission of a crime. The domain enters the blocked-sites registry automatically, but only after this formal process.
The second track, discretionary, requires KNF to demonstrate proportionality of action and the absence of other effective measures. This applies to situations where a domain is being used to conduct operations violating MiCA Regulation provisions in ways other than operating without authorization—for example, improper storage of client funds, lack of appropriate technical safeguards, or misleading clients about the nature of services offered. In such cases, KNF must demonstrate that blocking is necessary to prevent risk of serious harm and that no other effective measures exist to halt the violation. An entity affected by such blocking has the right to file an objection within two months, and KNF has fourteen days to consider it and issue a decision either maintaining the domain name in the registry or removing it.
Are these mechanisms perfect? No, and I myself have written about their flawed construction. I have pointed to problems with procedural guarantees, the possibility of erroneous blocks, and the lack of compensation mechanisms for entities wrongly blocked. This is legitimate criticism requiring refinement of the mechanism—but not its complete abandonment.
Moreover, the argument about “losing access to funds” is intellectually dishonest in the context of what actually occurs. The blocking applies to illegally operating platforms—those that by definition should not be holding Polish clients’ funds, since they operate without required safeguards, insurance, and capital. Huione Group had access to its clients’ funds. FTX had access to its clients’ funds. Celsius Network had access to its clients’ funds. And all these clients lost their money not because some regulator blocked access to a website, but because these platforms operated without appropriate supervision and used client funds for their own purposes—or simply stole them.
The real threat to Poles’ access to their funds does not come from KNF blocking illegal platforms. It comes from those platforms themselves—from Huione Group, from platforms like OneCoin or BitConnect that were classic financial pyramids, from hundreds of smaller fraudsters exploiting the lack of effective supervision.
VII. The Second Argument: “Over-Regulation” and Comparisons to Other Countries
The President claims that while the Czech Republic, Slovakia, and Hungary implemented provisions spanning a few or a dozen pages, Poland’s law exceeds one hundred, which allegedly demonstrates “over-regulation” leading to “pushing companies abroad.” This comparison is so misleading that it strains belief in its good faith.
The MiCA Regulation is a directly applicable act throughout the European Union. It comprises 149 articles plus annexes and spans over 150 pages. Member states need only designate the competent supervisory authority, introduce sanctions for violations, and adapt national provisions to the new regime. Differences in the length of implementing laws stem from three main factors.
First, the degree of domestic regulation before MiCA. Poland had an extensive VASP system introduced in 2021 that required complete reconstruction and adaptation to MiCA requirements. Countries that did not regulate this market at all before MiCA could settle for minimal implementation because they had no existing structures to modify.
Second, the scope of amendments to other laws. The Polish law amends many other legal acts—from the financial market supervision act, through the code of criminal procedure, to tax laws. This is not “over-regulation”; it is a consequence of the fact that introducing a new category of financial institution requires changes in dozens of related provisions.
Third, the level of detail in criminal and administrative sanctions. Polish legislative tradition requires detailed specification of penalties, while some countries use more general formulas referencing penal codes. This is a difference in legislative style, not “over-regulation.”
The claim that “a shorter law equals a better law” is a legal absurdity worthy of a first-year student. The quality of regulation is not measured by page count but by precision, coherence, and effectiveness in achieving intended objectives. The current Polish VASP system spans a few pages of procedures and has led to a situation where the largest money-laundering operation in history obtained Polish legitimacy for one hundred fifty dollars. If this is the ideal of “simple regulation” that the president defends, the consequences are obvious.
VIII. The Third Argument: High Supervisory Fees
The President claims that supervisory fees “will prevent small firms and startups from developing, while favoring foreign corporations and banks.” This argument ignores a fundamental fact that any lawyer with experience in financial law should understand: small firms and startups should not be conducting depository activities involving crypto-assets worth hundreds of millions of złoty if they lack the capital to cover potential client losses.
The history of the cryptocurrency industry is a chronicle of spectacular failures caused by lack of capital and supervision. Celsius Network promised clients 19.45 percent annual interest—any experienced financier knows that such returns can only be promised by a Ponzi scheme or an entity taking extreme risk. The result? In June 2022, Celsius froze withdrawals for 1.7 million users; a month later, it declared bankruptcy with a $1.2 billion hole. CEO Alex Mashinsky was arrested; prosecutors are seeking twenty years’ imprisonment.
FTX, the third-largest cryptocurrency exchange in the world, valued at $32 billion as recently as early 2022, collapsed literally within a week after revelations that Sam Bankman-Fried had systematically used $8.9 billion in client funds for private purposes and risky investments. The sentence: twenty-five years in prison.
Terra/Luna—$45 billion in market capitalization evaporated in a matter of days when it emerged that the “algorithmic stablecoin” UST was mathematically impossible to maintain, and the Anchor Protocol offering 19.45 percent annual interest was a classic Ponzi scheme.
Each of these cases began as an “innovative startup” led by “visionaries” who claimed that regulations “stifle innovation” and that traditional capital requirements were “relics of the past.” Each ended in ruin for thousands of people who lost their life savings. Thousands of people whose “freedom” the president purportedly defends by allowing them to deposit money in platforms that lacked the capital to secure it.
Supervisory fees are not a tax on innovation. They are the price of conducting business that involves holding other people’s money. If an entity lacks the means to pay for supervision, it also lacks the means to responsibly conduct such activity. This is precisely the difference between innovation and gambling with other people’s money.
Moreover, the argument about “favoring foreign corporations” is particularly ironic in the context of what is actually happening. Currently, it is precisely foreign criminal organizations—like Huione Group—that exploit Poland’s lax supervision to obtain legitimacy. Honest Polish entrepreneurs who wish to conduct business in compliance with the law bear reputational costs arising from the fact that Poland’s registry is perceived internationally as a “license shop” for dubious entities.
IX. Consequences of the Veto: Three Scenarios
The president’s veto is not a gesture defending freedom. It is a decision to maintain a status quo that enables the largest criminal operations in history to operate with Polish legitimacy. The consequences will be felt in three dimensions.
First, the continued functioning of Poland’s VASP registry in its current, flawed form means further legitimization of entities that may be fronts for international crime. Every day of delay means more fraud victims, more millions of złoty lost by Polish citizens, more funds laundered by platforms operating under Polish “licenses.” For honest entities that prepared for the new requirements and invested in compliance systems, capital, and insurance, this means prolonged uncertainty and unfair competition from entities that skipped those investments.
Second, Poland’s international reputation in the context of financial supervision will continue to deteriorate. The veto comes at a moment when FinCEN has issued sanctions against Huione Group—an organization that operated as a Polish VASP—when FATF is conducting an evaluation of Poland’s anti-money laundering system, and when the European Union is monitoring MiCA implementation in all member states. Poland, as one of the last countries to adopt implementing provisions, is now additionally delaying this process, signaling to the international community that its priority is not protecting the financial system but protecting the “freedom” of entities to operate without effective supervision.
Third, the veto creates an inability to plan business activities for the crypto industry in Poland. The President fears that regulation will “push companies to the Czech Republic, Lithuania, or Malta.” In reality, his veto may produce precisely this effect—but in the most harmful form. The MiCA Regulation applies in all member states. Companies may, however, choose where to obtain authorization. If Poland lacks clear, efficiently functioning licensing procedures, honest entrepreneurs will choose other jurisdictions—not because Polish regulations will be too rigorous, but because Poland will have no new regulations conforming to the MiCA standard at all.
Meanwhile, dishonest players will remain in Poland’s VASP registry, exploiting the lack of effective supervision and continuing to compromise the Polish jurisdiction.
X. The Real Threat to “Polish Freedom”
President Karol Nawrocki claims he “will defend the economic security of Poles.” Meanwhile, his veto achieves precisely the opposite effect—it leaves Poles defenseless against threats that are not theoretical but real, documented, and operating at this very moment.
The real threat to “Polish freedom” does not come from KNF possessing powers to block illegal platforms. It comes from international criminal groups like Huione Group, which for years exploited a gap in Poland’s supervisory system to launder billions of dollars, finance North Korea’s nuclear program, and operate forced labor camps. It comes from platforms like Celsius, FTX, and Terra/Luna, which accepted billions of dollars from clients without adequate capital and supervision, then stole or lost those funds through irresponsible management. It comes from hundreds of fraudsters running “pig butchering” schemes who, in 2024 alone, defrauded Americans of more than $9 billion.
This is not a defense of freedom. This is reckless populism that may cost Polish citizens billions more złoty lost in fraud, while the international legal and financial community watches in disbelief as Poland—a country aspiring to regional leadership—voluntarily remains a paradise for financial crime.
Let us not wait until another Polish VASP “license” appears in a FinCEN report as a tool exploited by international criminals. Let us not wait until thousands more Poles lose their life savings on platforms that were able to operate without supervision thanks to the president’s veto. Regulation of the crypto-assets market is necessary. But it must be legislation that actually protects citizens—not rhetoric about freedom that serves to protect fraudsters.
Founder and Managing Partner of Skarbiec Law Firm, recognized by Dziennik Gazeta Prawna as one of the best tax advisory firms in Poland (2023, 2024). Legal advisor with 19 years of experience, serving Forbes-listed entrepreneurs and innovative start-ups. One of the most frequently quoted experts on commercial and tax law in the Polish media, regularly publishing in Rzeczpospolita, Gazeta Wyborcza, and Dziennik Gazeta Prawna. Author of the publication “AI Decoding Satoshi Nakamoto. Artificial Intelligence on the Trail of Bitcoin’s Creator” and co-author of the award-winning book “Bezpieczeństwo współczesnej firmy” (Security of a Modern Company). LinkedIn profile: 18 500 followers, 4 million views per year. Awards: 4-time winner of the European Medal, Golden Statuette of the Polish Business Leader, title of “International Tax Planning Law Firm of the Year in Poland.” He specializes in strategic legal consulting, tax planning, and crisis management for business.
