Dump and save all your logs tied to this, and try to go back as far as possible as it pertains to this user and related infra they used. Start an excel sheet w/ <time>, <action done> and <result> on the headers, and log everything you do as part of figuring out what to do about this, i.e (Feb 17, asked what to do on hackernews, took advice and called a lawyer). Put it in a gdrive. Essentially, establish an audit trail of you doing the right thing once you realized what was going on.
Get a lawyer involved, and then ring up the local cyber crimes unit and be prepared to dump all this evidence. There's a lot of interplay b/t security teams and law enforcement over this stuff so it's not unusual. They'll be happy you reported. Anyone can use a SaaS platform, worst case you might get a rude awakening on the need to do KYC/AML or some sort of user onboarding regulations that you weren't aware you had to follow. This is all about due diligence and if you did it once you knew you had to.
Using intermediary infrastructure to dodge OFAC sanctions or w/e like this is isn't uncommon. The uncommon part is being able to get knowledge on the intermediary infra (your saas), so you're doing a solid by reporting it and providing logs.
Keep your notes on it handy. Contact your legal rep or team.
When something similar happened to me I was eventually contacted by the California computer crimes task force, IIRC. Very simple phone call, asking for notes I kept on the situation. Polite.
Then I got looped into the prosecution's long and kind of annoying email chain to everybody involved before there was an eventual going-nowhere of it all. Surprising but that's what happened. So you never know but some basic diligence is typically a good idea. This is not legal advice.
Ignore all the folks saying don't ask this question. Dealing with fraud / abuse issues is not uncommon.
Generally you do a few things.
If something makes you feel uncomfortable, and your agreement allows it, close out the customers account.
Just like facebook / google and friends, I've found it better NOT to get into a lot of back and forth or just point to a generic policy (ie, overseas accounts not supported).
If you need to refund money, make sure you only refund to same payment method. Ie, a credit card refund should not go out by check. I've seen scammers use this with a stolen card, then try and get the refund by check. A few months later card owner contests bill. If you refund back to same card, then when owner protests, the money is already back, nothing to protest.
Consider a hold on funds if you are concerned that they will be returned to issuing entity if you a in the middle on a payment flow. If so you want to make sure your money handling stuff is compliant anyway with KYC and transfer licensing needs.
I wouldn't leave this up. Maybe create a retrospective post once the case is over if you want to help others, but don't share details (even minute details) publicly until you've talked to a lawyer first.
If you email hn@ycombinator.com, they may be willing to take this down for you, assuming you can't currently delete it on your own. I understand they do this very occasionally, when there is good reason to do so. Good luck!
Is it inappropriate to say that I'm jealous your SaaS is good enough to be used by Russians for financial crime? I mean your gonna take this post down anyways right?
This is the main lawyer that handled PIA's (Private Internet Access) legal challenges: https://www.linkedin.com/in/jarsenault
Being a VPN, they would get contacted about a lot of stuff like this. He is a decent guy from my personal experience and maybe he would be a good contact if you don't already have a lawyer handling this.
> Mid-term, I am going to add detailed logging of all customer activity, and a workflow to analyze these logs.
I'd recommend not changing anything about how your app functions until you follow the common advise here. Ask your attorney when you can make code changes. You may be destroying evidence even if it's just "the path they took"
This is terrible advice. When there is a US financial institution and a country currently subject to sanctions involved there could be OFAC/AML/BSA implications. In some instances there is an affirmative obligation to report suspicious activity. And depending on what (if any) PII was accessed there could also be an affirmative obligation to notify impacted customers or state AGs. Hiring a lawyer (where OP can give a full a candid disclosure of all relevant facts) is the only reasonable advice OP can get. Maybe it's absolutely nothing and OP can ban the user for TOS violations and be done with it. But maybe it's not. No one here has enough information to make that assessment with any degree of certainty whatsoever.
How can a solo founder SaaS "be used" to access financial institutions? Do you mean simply creating a bank connection through an API like Plaid? People in Russia may have bank accounts in the US, you know?
> You shouldnt be taking legal advice from the internet.
Why not? I always find this "don't take advice from non-lawyers" to be annoying when I've listened to a lot of really idiotic theories by lawyers. And who knows, you might also find some lawyers right here on HN.
> > You shouldnt be taking legal advice from the internet.
> Why not?
Lack of expertise. Likelihood of conflict of interest. Lack of accountability. Lack of (because you almost certainly won't be willing to disclose enough, and if you did that has its own problems for your legal situation in many case) adequate information about the relevant facts.
(That's not to say you can't get legal information on which you can follow up from the internet, but there is a big difference between that and legal advice.)
There are indeed plenty of us here on HN. But you still shouldn't take legal advice from the Internet.
There are only two possible outcomes to such a thing: (a) you are not entirely forthcoming about all potentially relevant details in that public forum and therefore the advice cannot be relied on in your particular situation; or (b) you are entirely forthcoming about all potentially relevant details in that public forum and therefore you've waived at least some of the protections of confidentiality and privilege.
Lawyers say a lot of stupid things to be sure, but generally not when it pertains to their practice area. Some things they say that sound stupid are actually how the law works, and in my experience as an actual lawyer, people who are not lawyers vastly overestimate how much they know about the law, and are far more confident when giving opinions than a lawyer would be.
I've had multiple high priced lawyers with years of experience in the area give me completely, factually wrong information about THEIR PRIMARY PRACTICE AREA over the years. It still blows my mind.
In one case, I was stupid enough to believe them even though I knew it didn't quite sound right and it cost me an immense amount of money and a huge amount of stress in the resulting litigation.
And I know they were completely factually wrong because I had double checked with them what they said, they confirmed it (reiterated it actually) - and then it was very much not correct, as confirmed by the following court case which I had to settle, because I had been operating under a factually wrong view of the law. Not even 'eh, could go either way', but 90% of the lawyers I interviewed for the follow-up litigation literally said 'Well, that's dumb. Why did you do that? Of course you're going to get sued. Did you write it down you were doing that? Well, you're in deep trouble. Sorry, my calendar is booked solid, can't help you.'
More recently, while interviewing civil litigation attorneys, I had one who was referred to me with excellent references. Easily 20 years of practice too, I forget the exact number I pulled from the Bar.
I had done quite a bit of research on the area. Specifically I had tracking down and read the complete civil procedure that defined the applicable statue of limitations, and did some cursory research on the case law around it. I also pulled the applicable penal codes, case law, and civil damage claims - in this case Conversion, Grand Theft, Subornation of Perjury, Perjury, and a few others - and had figured out the likely elements of the crimes that were applicable, which I could prove and how easily, which ones were iffy, etc.
When I laid out the evidence and the case, he tried to convince me that I was outside the statute of limitations (even though it had only been 6 months since the event had first occurred, and was still ongoing), and that the court would throw it out and I'd be liable under anti-SLAPP - even though I could prove the party involved had committed perjury and filed a false police report, and there was no plausible claim it was a matter of public interest.
The case law is quite clear that perjury is not a protected type of speech, and matters of public interest are also clearly defined enough that this wouldn't apply at all. So the anti-SLAPP statute couldn't apply.
I would have to prove perjury, but I literally had solid, fully contextual video evidence that showed that what was claimed in the other parties court filing (initial AND follow-up) was not and could not have happened, AND it showed that the opposite had happened - they were the party at fault, and they had to have known it, or were clearly mentally incompetent.
This video was from cameras the other party had requested be installed, AND knew recorded these things/area, AND that they knew I had access to and had their permission to access/download from.
When I asked him why he thought it was outside the statute of limitations since the applicable statute of limitations for civil claims in that state cut off at 1, 2, or 3 years for civil claims (and this was likely a 3 year case due to violations of the penal code), he literally sputtered out 'you knew that?' before making a rapid 'I wish you luck sir', and hanging up on me.
Bullshitters abound, and Lawyers are better than most at Bullshitting as it's a large part of the job. Same as sales folks. Most lawyers customers are in dire straights, overwhelmed and overloaded, and in trouble and changed life circumstances that they don't understand for reasons they have difficulty processing/understanding, let alone breaking down or describing in a coherent way.
If they run across someone who looks good, says what they want to hear, and has the trappings (books, the office, the tie, whatever), 99% of these customers can't or won't be able to do critical thinking on what is being said, let alone cross reference it with something concrete or do their own research.
They also don't have the time or are in life circumstances in most cases to interview enough attorneys and learn the relevant sections of law to do basic bullshit checks either.
There is a reason the Bar and licensing/testing exists - without it, it would be an even bigger disaster and shark chum feed. It's also been my experience that about 80% (or more) of licensed practicing attorneys are happy to bullshit you with happy go lucky stories about how they'll get x thing done, or you totally have a case, or you can totally do this thing and it'll be fine, when, while not impossible, that's just not really a good idea for you. And will happily turn the crank on billable hours producing things that look really cool and impressive if you don't know what's going on, but are often riddled with factual errors, missing useful procedural elements, or not providing evidence in a way that is going to make the case clear and easy to judge. At least that gets them paid in the resulting disaster or while it churns on with no end in sight anyway.
You also can end up with 'this is impossible', or 'that is not how it works', when actually, it could be done, it's just outside of their area of expertise (and they don't want to admit they don't know).
To the original point, it is rare to have someone give completely, clearly factually incorrect information about their specialty, but it does happen. If you interview 10 lawyers, you'll find at least one, probably two in my experience who will do so.
If I had written records of the wrong advice in my situation (instead of phone calls), I would have filed a complaint with the Bar, but lawyers are unfortunately ALSO pretty good at covering their asses, and the Bar is pretty good at looking like it's going after folks without really changing anything. So not worth trying frankly.
Aside from the possibility of self incrimination, the whole IANAL thing is mostly just a meme. People are more than happy to feign expertise on epidemiology or any number of topics but legal advice should only be trusted if it comes from a Lawyer.
For the same reason you wouldn't take technical advice about how to structure a scalable backend from the guy who mows your lawn.
I've listened to a lot of really idiotic theories by lawyers
Lawyers can, and will, say a lot of stupid things, because lawyers are very opinionated people and like to argue. It's why many of us became lawyers. But when we have a client the things we say and do with respect to that client's case are made on a professional basis (i.e., with at least some support from the facts, law, cases, etc.).
Because even those of us with some knowledge do not know all the details of all the laws. We don't know what jurisdiction you live, what jurisdiction the other folks live in, which one might actually be correct for your suit. Because of that, we cannot know the details of the specific laws for specific situations. After all, the very first thing they taught us in law school was that the answer to every question is "It depends."
Liability (there's other good reasons the other commenters are pointing out too, but this is the most important one).
If your lawyer tells you something completely wrong that gets your entire business fucked by the US government then they (and ultimately, their insurance) is on the line for that.
If you follow a dumb comment from HN and destroy your business that's all on you.
> If your lawyer tells you something completely wrong that gets your entire business fucked by the US government then they (and ultimately, their insurance) is on the line for that.
The attorney you consult about the potential malpractice claim against the first lawyer may tell you that that's not an accurate description of the professional standard of care that is applicable, but, still, a lawyer you hire is more accountable than hnwhiz679.
Also, while true there is the bar, and licensing, and insurance - be aware, you will be attempting to make a claim against someone who literally - as their entire profession - is a professional ass coverer, deflector of blame, and finger pointer.
Is it possible to win? Yes. May god have mercy on your soul.
If you're genuinely asking why you shouldn't publicly incriminate yourself on the internet that might explain why you have interacted with so many subpar lawyers.
Get a lawyer involved, and then ring up the local cyber crimes unit and be prepared to dump all this evidence. There's a lot of interplay b/t security teams and law enforcement over this stuff so it's not unusual. They'll be happy you reported. Anyone can use a SaaS platform, worst case you might get a rude awakening on the need to do KYC/AML or some sort of user onboarding regulations that you weren't aware you had to follow. This is all about due diligence and if you did it once you knew you had to.
Using intermediary infrastructure to dodge OFAC sanctions or w/e like this is isn't uncommon. The uncommon part is being able to get knowledge on the intermediary infra (your saas), so you're doing a solid by reporting it and providing logs.