How Poland Became a Haven for Crypto Crime
A Legal Analysis of Presidential Rhetoric Versus Market Reality
I. Introduction: The Rhetoric of Freedom
When President Karol Nawrocki of Poland announced his veto of the country’s cryptocurrency market regulation bill, he deployed the language of liberty with practiced ease. “The President of the Republic of Poland uses the constitutional prerogative of veto only when legislation threatens the freedoms of Poles, their property, and the stability of the state,” his press secretary, Rafał Leśkiewicz, declared on social media. “And this law creates such real threats.”
The threats, according to the President, were threefold: first, the bill would allow the government to shut down cryptocurrency firms’ websites “with one click”; second, while the Czech Republic, Slovakia, and Hungary had implemented their crypto regulations in a few dozen pages, Poland’s version ran to more than a hundred, representing “over-regulation” that would drive businesses abroad; and third, the supervisory fees were set at levels that would “make it impossible for small firms and startups to develop” while favoring “foreign corporations and banks.”
It’s a compelling narrative. The defense of individual liberty and property rights resonates across political divides—few rhetorical stances are more persuasive than positioning oneself as the last bulwark against government overreach. The problem is that, in practice, the President is defending the freedom of fraudsters to operate, systematically destroying the wealth of the very citizens he claims to protect, while undermining the financial system stability his veto was meant to secure.
After nearly twenty years of practice in international financial law and cryptocurrency regulation, watching this industry evolve from its quasi-anarchist origins to its current phase of mass commercialization, I rarely encounter a political decision so fundamentally detached from market reality. This isn’t about disagreement over regulatory details—such differences are natural and healthy in democratic legislative processes. This is about a gap between declared objectives and actual consequences so glaring that it demands detailed explanation.
II. The Real Threat: Poland’s VASP Registry as a Tool for Legitimizing Crime
The President’s argument entirely ignores the cardinal problem the law was designed to solve: Poland’s registry of Virtual Asset Service Providers—VASPs—has become, de facto, an instrument for lending the appearance of legitimacy to criminal organizations operating on a global scale.
To understand the magnitude of the problem, we first need to understand how low the barriers to entry into Poland’s VASP registry were. According to procedures in effect since 2021, an entrepreneur seeking registration needed to meet only a few basic requirements. First, register a business in Poland. Second, file an electronic application along with a declaration that they met the legal requirements. Third, pay a stamp duty of six hundred and sixteen złotys.
That’s it. Six hundred and sixteen złotys—about a hundred and fifty dollars—and an electronic form. There was no minimum capital requirement. No mandatory liability insurance. No requirement to maintain physical infrastructure in Poland. No detailed verification of funding sources. No verification of the actual nature of the business being conducted. One could rent a virtual office—a mailing address serviced by a company providing such services for a few hundred złotys per month—and begin operating “in Poland” while physically based in Cambodia, the Seychelles, or anywhere else in the world.
The “clean record” requirement sounded impressive but relied entirely on the applicant’s own declaration. The registration authority—the Tax Administration Chamber in Katowice—had no obligation to verify these statements. Criminal records weren’t checked. The identities of beneficial owners weren’t verified beyond their entries in the Central Register of Beneficial Owners, which are themselves declaratory. The whole thing rested on a clause: “I am aware of criminal liability for making a false statement”—which posed no obstacle whatsoever to international criminal organizations.
The “knowledge and experience” requirement looked similar. The law considered this condition met if the applicant had completed a course covering legal or practical issues related to virtual currency activities, or had performed activities related to such business for at least one year. But no documents had to be attached to the application—a declaration sufficed. The registration authority verified neither the quality of the courses nor actual experience.
The official document “Questions and Answers Regarding the Virtual Currency Activity Registry” makes this explicit:
“Should documents confirming knowledge or experience related to virtual currency activities be attached to the registry application? No. Only a declaration of possessing knowledge or experience related to virtual currency activities should be attached to the registry application.”
Registration occurred automatically within fourteen days of submitting a formally correct application. There was no verification procedure. No due diligence review. No possibility of refusing registration due to doubts about the nature of the activity or the applicant’s intentions. If the form was filled out correctly, the fee paid, and the declaration attached—registration had to occur.
The result was predictable. Poland’s VASP registry became an oasis for various experts in gray- and black-market operations. A criminal organization could obtain Polish registration within days, then use it as a tool for building trust with potential victims worldwide. “We’re registered in Poland, a European Union member state. We’re subject to European regulations. You can trust us.” In reality, beneath the Polish credentials lurked a money-laundering operation handling billions of dollars.
III. The Huione Group: When a Polish “License” Services Billions in Crime
The case of the Huione Group—a Cambodian financial conglomerate sanctioned by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) in October 2025—illustrates this mechanism in a way so dramatic that, were it not documented by an agency of the United States government, it could be dismissed as fiction.
The Huione Group is a network of entities registered in various jurisdictions, offering comprehensive services for criminals. From the Haowang Guarantee online marketplace, where one could purchase equipment needed for conducting fraud—including devices for detaining victims, such as electronic handcuffs, stun guns, and tear gas—to the Huione Pay PLC money-laundering services, which accepted both traditional currencies and cryptocurrencies. The company even created its own stablecoin, USDH, advertised as “impossible to freeze” and “unrestricted by traditional regulatory agencies”—in other words, designed specifically to prevent law enforcement from recovering stolen funds.
According to FinCEN’s detailed analysis in the sanctions document, the Huione Group received at least $37.6 million in cryptocurrencies stolen by hackers working for North Korea, including funds from thefts executed by the Lazarus Group—a unit sanctioned by the Office of Foreign Assets Control (OFAC), linked to the Reconnaissance General Bureau, the primary foreign intelligence organization of the regime in Pyongyang. These funds, according to intelligence assessments, were used to finance the nuclear weapons and ballistic missile program.
Additionally, the Huione Group laundered at least $36 million directly from “pig butchering” scams and approximately $300 million from various forms of cybercrime. In total, between August 2021 and January 2025, the Huione Group processed at least $4 billion in illicit funds. Chainalysis estimated that Haowang Guarantee had processed at least $49 billion in cryptocurrency transactions since 2021.
And now the crucial point that President Nawrocki apparently doesn’t understand or doesn’t want to understand: Huione Crypto, the component of the Huione Group responsible for cryptocurrency exchange services, was registered in Poland as a Virtual Asset Service Provider.
According to findings by U.S. federal authorities:
“Huione Crypto is registered in Poland under the name Huione Crypto Spółka Z Ograniczoną Odpowiedzialnością and is also registered as a Money Services Business (MSB) with FinCEN. However, despite its registration in Poland and the United States, FinCEN assesses that Huione Crypto actually operates in and from Cambodia, and FinCEN has found no evidence consistent with activity in the United States. FinCEN assesses that the ‘Group’ referenced in Huione Crypto’s previously used Standard Terms and Conditions, which does not appear on its new website, refers to Huione Group, and that Huione Crypto’s CVC services share infrastructure with Huione Pay PLC and Haowang Guarantee, and collectively comprise a single organization.”
Read that sentence again. The largest illegal cryptocurrency operator in history, which processed billions of dollars from thefts benefiting North Korea, “pig butchering” scams, and other forms of cybercrime, held a Polish VASP “license.” Forced-labor camps in Southeast Asia, where thousands of victims of human trafficking were held and compelled to conduct frauds, operated under Polish regulatory credentials.
For six hundred and sixteen złotys in stamp duty.
This isn’t a case of a single company that slipped through Polish procedures by exploiting some legal loophole. This is a systematic problem with Poland’s supervisory system, which couldn’t—because it lacked the tools—distinguish legitimate entities from international criminal organizations. Poland’s VASP registry became a tool for lending the appearance of legitimacy to criminal operations on a global scale, and the President’s veto proposes maintaining precisely this system.
IV. The Scale of Fraud: The Economics of Tragedy
Before we proceed to a detailed analysis of the President’s arguments, it’s necessary to understand the economic scale of the problem the Polish law was meant to address. According to data from the FBI’s 2024 Internet Crime Report, losses by American citizens from cryptocurrency-related investment fraud exceeded $9.27 billion in that single year. The Federal Trade Commission estimates that in 2024 alone, over $1.42 billion was lost by American consumers in various forms of fraud where cryptocurrency was the payment method.
Chainalysis estimated that in 2024, the value received by identified illegal cryptocurrency addresses was at least $40.9 billion. This is a lower-bound estimate, since the methodology identifies only those addresses that have already been classified as illegal. Thefts from cryptocurrency exchanges in 2024 amounted to $2.2 billion. Ransomware ransom payments reached $813 million. Cryptocurrency flows linked to international sanctions totaled $15.8 billion—thirty-nine percent of all illegal transactions.
These numbers aren’t statistical abstractions. Behind every billion dollars are thousands of specific people who lost their life savings in ways often so psychologically sophisticated that it’s hard to believe such things are possible. Among them are Poles—precise data aren’t available, but proportionally to the population, losses may reach billions of złotys annually. These are the life savings of tens of thousands of Polish families, vanishing into the pockets of international fraudsters, often operating from platforms registered in Poland’s very VASP registry, for which they paid six hundred and sixteen złotys in stamp duty.
V. What the Law Was Actually Meant to Fix
The cryptocurrency market law that President Nawrocki vetoed aimed at a fundamental reconstruction of Poland’s supervisory system. This wasn’t “over-regulation” or “stifling innovation,” as the President suggests. It was an attempt to create a system that actually verifies entities before allowing them to accept billions of złotys from Polish clients.
The key changes addressed precisely the gaps that enabled the Huione Group and similar entities to exploit Poland’s registry as a tool for legitimizing crime. The law introduced actual capital requirements—entities would be obligated to hold capital proportional to the scale of their operations, which would effectively exclude shell operations run by entities without real resources. It introduced mandatory liability insurance to protect clients in case of problems with the platform. It required the employment of qualified compliance personnel with documented experience in anti-money-laundering measures.
But above all—and this is crucial—the law created mechanisms for actual verification and ongoing supervision. The Polish Financial Supervision Authority (KNF) would receive powers to conduct regular inspections, verify procedures, and test systems. Entities would be obligated to report regularly, which would allow for the identification of irregularities before they became mass-scale frauds. This is a fundamental difference from the current system, where registration occurs automatically after filing a form, and supervision is practically nonexistent.
Since December 30, 2024, the Director of the Tax Administration Chamber in Katowice has stopped accepting new applications for registration in the virtual currency activity registry (VASP). This decision results from the direct application of MiCA (Markets in Crypto-Assets Regulation—Regulation (EU) 2023/1114 of the European Parliament and of the Council) and the TFR (Transfer of Funds Regulation). In a communication at the end of December 2024, the authority maintaining the registry unequivocally stated that there are no legal grounds for making new entries of entities into the registry, as higher EU standards have been directly applicable since that date. However, entities that obtained registration before December 30, 2024, may continue operating under existing rules, but only during a transitional period.
Article 143(2) of the MiCA Regulation provides for an eighteen-month transitional period, allowing entities providing crypto-asset services (formerly VASPs) to continue operating under existing rules until July 1, 2026, or until obtaining CASP (Crypto-Asset Service Provider) authorization or being denied such authorization—whichever comes first.
VI. First Argument: The Domain-Blocking Mechanism
The President claims that the regulations enable “shutting down websites with one click.” This is a fundamental misrepresentation of the regulation’s character. The domain-blocking mechanism was detailed in Articles 66–76 of the law and includes a verification system divided into two fundamentally different modes.
The first, automatic mode, applies exclusively to entities conducting business without the required authorization—which is a crime punishable by up to five years’ imprisonment—after the KNF files a notice of the crime and posts information about that notice on a dedicated KNF webpage. This isn’t “one click” but the consequence of a proceeding in which the KNF must have justified grounds for suspecting a crime has been committed. The domain goes into the blocked sites registry automatically, but only after this formal process.
The second, discretionary mode requires the KNF to demonstrate proportionality of action and the absence of other effective measures. It concerns situations where a domain is being used to conduct activities violating MiCA Regulation provisions in ways other than operating without authorization—for example, improper storage of client funds, lack of adequate technical safeguards, or misleading clients about the nature of services offered. In such cases, the KNF must demonstrate that blocking is necessary to prevent the risk of causing serious harm, and that there are no other effective measures leading to cessation of the violation. An entity affected by such blocking has the right to file an objection within two months, and the KNF has fourteen days to consider it and issue a decision either to keep the domain name in the registry or to delete it.
Are these mechanisms perfect? No, and I myself wrote about their flawed construction in my article “Blocking Internet Domains—KNF’s New Weapon Against Illegal Cryptocurrency Exchanges.” I pointed out problems with procedural guarantees, the possibility of erroneous blocking, and the lack of compensation mechanisms for entities wrongly blocked. This is justified criticism requiring refinement of the mechanism, but not its complete abandonment.
Moreover, the argument about “loss of access to funds” is intellectually dishonest in the context of what actually happens. Blocking concerns illegally operating platforms—those that by definition shouldn’t be storing Polish clients’ funds, since they operate without required safeguards, insurance, and capital. The Huione Group had access to its clients’ funds. FTX had access to its clients’ funds. Celsius Network had access to its clients’ funds. And all these clients lost their money not because some regulator blocked access to the site, but because these platforms operated without proper supervision and used client funds for their own purposes or simply stole them.
The real threat to Poles’ access to their funds doesn’t come from the KNF blocking illegal platforms. It comes from those platforms themselves—from the Huione Group, from platforms like OneCoin or BitConnect, which were classic financial pyramids, from hundreds of smaller fraudsters who exploit the lack of effective supervision.
VII. Second Argument: “Over-Regulation” and Comparisons to Other Countries
The President claims that while the Czech Republic, Slovakia, and Hungary implemented regulations numbering a few or a few dozen pages, the Polish law runs to over a hundred, supposedly demonstrating “over-regulation” leading to “pushing companies abroad.” This comparison is so misleading that it’s hard to credit it with good faith.
The MiCA Regulation is an act directly applicable throughout the European Union. It comprises one hundred and sixty-eight articles and occupies more than two hundred pages. Member states need only designate the appropriate supervisory authority, introduce sanctions for violations, and adapt national provisions to the new regime. Differences in the length of implementing laws result from three main factors.
First, the degree of national regulation before MiCA. Poland had an extensive VASP system introduced in 2021, which required complete reconstruction and adaptation to MiCA requirements. Countries that didn’t regulate this market at all before MiCA could limit themselves to minimal implementation, since they didn’t have to change existing structures.
Second, the scope of changes to other laws. The Polish law amends twenty-eight other legal acts—from the Financial Market Supervision Act, through the Code of Criminal Procedure, to tax laws. This isn’t “over-regulation”; it’s the consequence of the fact that introducing a new category of financial institutions requires changes to dozens of related provisions.
Third, the level of detail in criminal and administrative sanctions. Polish legislative tradition requires detailed specification of penalties, while some countries use more general formulas referring to criminal codes. This is a difference in legislative style, not “over-regulation.”
The claim that “short law equals good law” is a legal absurdity worthy of a first-year law student. The quality of regulation isn’t measured by the number of pages but by precision, coherence, and effectiveness in achieving intended goals. The current Polish VASP system has a few pages of procedures and has led to a situation where the largest money-laundering operation in history obtained Polish credentials for six hundred and sixteen złotys. If this is the ideal of “simple regulation” the President is defending, the results are obvious.
VIII. Third Argument: High Supervisory Fees
The President claims that supervisory fees “will make it impossible for small firms and startups to develop while favoring foreign corporations and banks.” This argument ignores a fundamental fact that any lawyer with experience in financial law should understand: small firms and startups shouldn’t be conducting deposit activities involving crypto-assets worth hundreds of millions of złotys if they don’t have capital to cover potential client losses.
The history of the cryptocurrency industry is a chronicle of spectacular collapses caused by lack of capital and supervision. Celsius Network promised clients 19.45% annual interest—any experienced financier knows that such a rate of return can only be promised by a financial pyramid or an entity taking extreme risks. The result? In June 2022, Celsius froze withdrawals for 1.7 million users; a month later, it declared bankruptcy with a $1.2 billion hole. CEO Alex Mashinsky was arrested; prosecutors are seeking twenty years in prison.
FTX, the world’s third-largest cryptocurrency exchange, valued at $32 billion as recently as early 2022, collapsed literally within a week after it was revealed that Sam Bankman-Fried had systematically misused $8.9 billion in customer funds for private purposes and risky investments. Sentence: twenty-five years in prison.
Terra/Luna—$45 billion in market capitalization evaporated in a few days when it turned out that the “algorithmic stablecoin” UST was mathematically impossible to maintain, and the Anchor Protocol offering 19.45% annual interest was a classic Ponzi scheme.
Each of these cases began as an “innovative startup” run by “visionaries” who claimed that regulations “stifle innovation” and that traditional capital requirements are “relics of the past.” Each ended in the ruin of thousands of people who lost their life savings. Thousands of people whose “freedoms” the President supposedly defends, depositing money on platforms that lacked capital to secure it.
Supervisory fees aren’t a tax on innovation. They’re the price for conducting business that involves storing other people’s money. If an entity doesn’t have the means to pay for supervision, it doesn’t have the means to responsibly conduct such activities. This is precisely the difference between innovation and gambling with other people’s money.
Moreover, the argument about “favoring foreign corporations” is particularly ironic in the context of what actually happens. Currently, it’s precisely foreign criminal organizations—like the Huione Group—that exploit lax Polish supervision to obtain legitimacy. Honest Polish entrepreneurs who want to conduct business legally bear reputational costs resulting from the fact that the Polish registry is internationally perceived as a “license shop” for questionable entities.
IX. Consequences of the Veto: Three Scenarios
The President’s veto isn’t a gesture defending freedom. It’s a decision to maintain the status quo, which enables the operation of the largest criminal operations in history with Polish credentials. The consequences will be felt in three dimensions.
First, the continuation of Poland’s VASP registry in its current, flawed form means further legitimization of entities that may be fronts for international crime. Every day of delay means more victims of fraud, more millions of złotys lost by Polish citizens, more funds laundered by platforms operating under Polish “licenses.” For honest entities that prepared for new requirements and invested in compliance systems, capital, and insurance, it means prolonged uncertainty and unfair competition from entities that skipped these investments.
Second, Poland’s international reputation in the context of financial supervision will continue to deteriorate. The veto comes at a moment when FinCEN has issued sanctions against the Huione Group—an organization that operated as a Polish VASP; when the FATF is conducting an assessment of Poland’s anti-money-laundering system; when the European Union is monitoring MiCA implementation in all member states. Poland, as one of the last states that was to adopt implementing regulations, now additionally delays this process, signaling to the international community that the priority isn’t protecting the financial system but protecting the “freedom” of entities to operate without effective supervision.
Third, the industry’s demographic paradox. The President fears that regulation will “push companies to the Czech Republic, Lithuania, or Malta.” In reality, his veto may produce precisely this effect, but in the most harmful form. The MiCA Regulation applies in all member states. Companies can, however, choose where to obtain authorization. If Poland doesn’t have clear, efficiently functioning licensing procedures, honest entrepreneurs will choose other jurisdictions—not because Polish regulations will be too rigorous, but because in Poland there are no new regulations compliant with the MiCA standard at all.
Meanwhile, dishonest players will remain in the Polish VASP registry, taking advantage of the lack of effective supervision and further compromising the Polish jurisdiction.
X. The Real Threat to “Poles’ Freedoms”
President Karol Nawrocki claims he will “defend the economic security of Poles.” Meanwhile, his veto achieves precisely the opposite effect—it leaves Poles defenseless against threats that aren’t theoretical but real, documented, and operating right now.
The real threat to “Poles’ freedoms” doesn’t come from the KNF possessing powers to block illegal platforms. It comes from international criminal groups like the Huione Group, which for years exploited a gap in Poland’s supervisory system to launder billions of dollars, finance North Korea’s nuclear program, and operate forced-labor camps. It comes from platforms like Celsius, FTX, and Terra/Luna, which accepted billions of dollars from clients without adequate capital and supervision, then stole or lost those funds through irresponsible management. It comes from hundreds of fraudsters running “pig butchering” schemes, who in 2024 alone defrauded Americans of over $9 billion.
This isn’t a defense of freedom. It’s irresponsible populism that may cost Polish citizens additional billions of złotys lost to fraud, while the international legal and financial community watches in disbelief as Poland—a country aspiring to be a regional leader—voluntarily remains a haven for financial crime.
Let’s not wait until another Polish VASP “license” appears in a FinCEN report as a tool exploited by international crime. Let’s not wait until thousands more Poles lose their life savings on platforms that were able to operate without supervision thanks to the President’s veto. Regulation of the cryptocurrency market is necessary. But it must be a law that actually protects citizens, not rhetoric about freedom serving to protect fraudsters.
Founder and Managing Partner of Skarbiec Law Firm, recognized by Dziennik Gazeta Prawna as one of the best tax advisory firms in Poland (2023, 2024). Legal advisor with 19 years of experience, serving Forbes-listed entrepreneurs and innovative start-ups. One of the most frequently quoted experts on commercial and tax law in the Polish media, regularly publishing in Rzeczpospolita, Gazeta Wyborcza, and Dziennik Gazeta Prawna. Author of the publication “AI Decoding Satoshi Nakamoto. Artificial Intelligence on the Trail of Bitcoin’s Creator” and co-author of the award-winning book “Bezpieczeństwo współczesnej firmy” (Security of a Modern Company). LinkedIn profile: 18 500 followers, 4 million views per year. Awards: 4-time winner of the European Medal, Golden Statuette of the Polish Business Leader, title of “International Tax Planning Law Firm of the Year in Poland.” He specializes in strategic legal consulting, tax planning, and crisis management for business.
