[_jvqm]

First, thank you very much for your comment, secondly, the anonymous person has forgotten to specifically highlight a certain detail

- The entity affected by this vulnerability is NOT a trustworthy company, it is not even a registered company. The service is or was operated by individuals and not under its own registered business entity.

They obviously do not wish to describe this service any further, but they want to assure you that no sane person would ever subscribe to it, yet there are thousands of paying active users.

[rad88]

It sucks for these people, but as you say, they did something insane with their money. I agree with everyone else here who's recommended you speak to a lawyer and then back away. It might be uncomfortable because you (or they) seem fairly conscientious, but you won't change much anyway. Some people might withdraw and then do some other very risky thing with the money. Or maybe you trigger the service immediately closing shop with no withdrawals. Moreover, organized crime is alive and well in this area. Don't assume that because this is an online scam they are not connected. From the sound of it there are millions of dollars at stake for them, and at most a nagging feeling for you saying you should have done something. Or maybe making a name for yourself. In any case it's not worth it. Calling out a random unregistered Russian crypto "business" that people already know is shady won't do anything.