If you run a full mining node, blacklist the whitelist.
You're assuming the white-list will be public. It needn't be.
The alternative is to give up on "law abiding businesses"
How would you know in advance which business are helping the thugs create their whitelist and which are not? It's not like they need to publicly advertise it.