This is terrible advice. When there is a US financial institution and a country currently subject to sanctions involved there could be OFAC/AML/BSA implications. In some instances there is an affirmative obligation to report suspicious activity. And depending on what (if any) PII was accessed there could also be an affirmative obligation to notify impacted customers or state AGs. Hiring a lawyer (where OP can give a full a candid disclosure of all relevant facts) is the only reasonable advice OP can get. Maybe it's absolutely nothing and OP can ban the user for TOS violations and be done with it. But maybe it's not. No one here has enough information to make that assessment with any degree of certainty whatsoever.