[fy20]

One thing a lot of white hat wannabees don't seem to understand, is that for some vulnerabilities it's not worth the risk of reporting them. There was an article here a few months ago about someone who found a vulnerability with a bank, they reported it their boss, and they got fired.

To me this definately feels like it falls into that category. You said the site is really shady to begin with. You are not responsible for the people who are stupid enough to sign up in the first place, so yes, you can have a clear conscious by just ignoring it.

Lets pretend it's a less shady site and doesn't involve crypto millions, and you want to report it: I'd look to see if they have a security reporting policy. If they don't, I'd send a vague email "Hello, I think I found a security vulnerability on your site, can you put me in touch with the right person to report it to?" to their main contact address (info@, support@, whatever) and see what the response is. If you get an angry response or a lawyer or just no response, then time to forget it. If you get a developer who sounds like they understand you, then you can proceed.