Regarding some of the above cases, it is interesting to hear about. Claiming you have completed KYC as if that clears you; it really doesn't.
We are revealing our secret approach to the whole KYC situation today. It was our decision not to apply KYC across the platform and only for users engaged in fraud. The idea and reasoning behind this are that if a user engages in fraud and we close their account, they will simply create a new account and do it again. We request KYC even if we intend to close the account; this way, they use their information to complete the KYC for the existing account. If they create a new account in the future, they will fail to pass the KYC because their information has already been used (if they use the same information), or else they must find someone else to provide their information to complete the KYC. In that event, they have to do some extra work to get a new account. Even in that case, we have systems in place to detect multiple accounts, so we can detect them for the most part.
Just for clarity, any user who has been asked to complete KYC without any questions was engaged in fraud of some kind, and we generally close the accounts after the KYC, as explained above.
[...]
I might need a refresher course as I probably got things mixed up [to be honest, your case is a very long one] and confused a fact or two, but... weren't you initially said that you lost all of the database because your business partner sabotaged it, and the only reason you can get the data for these refund process is because you get it from a bare-minimum database that you have to upload to your regulator on weekly basis? Here, quoted below,
[...]
Regarding the suggestion to send an email to users, this is clearly the most effective way to resolve this issue. However, as we mentioned in our initial statement, we do not have access to the database. We do have a limited version of the database that is shared with regulators for compliance purposes. If we had access to the actual site database, we would simply restore the site and allow users to withdraw their funds directly. Unfortunately, this is not the case, and we can only do what we can with the resources available to us.
If so, how can you tell that those accounts commited fraud? The data you uploaded to the regulator, according to you, are: "
We only share usernames and user IDs for identification and never email addresses. They are private and should be protected to the degree that is possible."
You memorized their name or something?