[chaps]

I've done a fair amount of similar disclosures and have had good and bad experiences.

First, consider consulting a lawyer. Then, consider sending it to a reporter who specializes in cybersecurity and who isn't shy about reporting on these issues. They have protocols for this sort of thing and will do proper disclosures beforehand. A way to think about it is that once the reporter reaches out, the company will be in panic mode and try to correct the problem ASAP before bad press gets out. They understand that because a reporter is reaching out to them that an article is in the works and their only option is damage reduction, considering the worse alternative. Reaching out on your own without protections will lead to headaches.

IANAL.

[_jvqm]

First, thank you very much for your comment, secondly, the anonymous person has forgotten to specifically highlight a certain detail

- The entity affected by this vulnerability is NOT a trustworthy company, it is not even a registered company. The service is or was operated by individuals and not under its own registered business entity.

They obviously do not wish to describe this service any further, but they want to assure you that no sane person would ever subscribe to it, yet there are thousands of paying active users.

[rad88]

It sucks for these people, but as you say, they did something insane with their money. I agree with everyone else here who's recommended you speak to a lawyer and then back away. It might be uncomfortable because you (or they) seem fairly conscientious, but you won't change much anyway. Some people might withdraw and then do some other very risky thing with the money. Or maybe you trigger the service immediately closing shop with no withdrawals. Moreover, organized crime is alive and well in this area. Don't assume that because this is an online scam they are not connected. From the sound of it there are millions of dollars at stake for them, and at most a nagging feeling for you saying you should have done something. Or maybe making a name for yourself. In any case it's not worth it. Calling out a random unregistered Russian crypto "business" that people already know is shady won't do anything.