If SEC decides at some point that this was pump-and-dump scheme (even crowdsourced), the Citadel may become liable for enabling that scheme, even if they do not run it themselves.
It seems unlikely to me that Citadel would be liable. They're just processing bulk transactions -- they have no direct contact with customers. You could just as well blame the NYSE.
If it's true they refused to process for certain securities for their downstream clients, then I believe "When?" and "Why?", specifically in relation to other actions, become legally relevant questions.