[dogman144]

Dump and save all your logs tied to this, and try to go back as far as possible as it pertains to this user and related infra they used. Start an excel sheet w/ <time>, <action done> and <result> on the headers, and log everything you do as part of figuring out what to do about this, i.e (Feb 17, asked what to do on hackernews, took advice and called a lawyer). Put it in a gdrive. Essentially, establish an audit trail of you doing the right thing once you realized what was going on.

Get a lawyer involved, and then ring up the local cyber crimes unit and be prepared to dump all this evidence. There's a lot of interplay b/t security teams and law enforcement over this stuff so it's not unusual. They'll be happy you reported. Anyone can use a SaaS platform, worst case you might get a rude awakening on the need to do KYC/AML or some sort of user onboarding regulations that you weren't aware you had to follow. This is all about due diligence and if you did it once you knew you had to.

Using intermediary infrastructure to dodge OFAC sanctions or w/e like this is isn't uncommon. The uncommon part is being able to get knowledge on the intermediary infra (your saas), so you're doing a solid by reporting it and providing logs.