Coinbase Data Scandal Sparks Calls to Scrap KYC
A recent data breach on Coinbase has exposed 70,000 users' personal data, prompting renewed calls to rethink crypto's Know Your Customer (KYC) systems. The breach, which occurred in December 2024, saw illicit actors bribe the exchange's overseas customer service agents to gain access to sensitive user information.
Coinbase's recent data scandal is just the latest in a series of high-profile breaches that have highlighted the flaws in crypto's KYC systems. While designed to curb fraud, money laundering, and terrorism financing, these systems often end up exposing everyday users to risk. "All this security theater needs to be abolished asap. Time and again it only benefits hackers and extortionists," said pseudonymous developer Banteg on X.
"KYC actually enables crime," Banteg added. However, it's not feasible for exchanges to simply turn their backs on KYC, as it is a regulatory mandate in several jurisdictions. Privacy-enhancing alternatives like zero-knowledge (ZK) proofs remain limited by cost and technical complexity.
The Flaws of KYC
KYC was designed to curb fraud, money laundering, and terrorism financing, but in practice, it's often the everyday users who end up exposed. "Anyone is able to generate a fake US passport or diploma from a leading law school. And 50% of businesses with identity checks are likely bypassable with generative AI," Ilia Kolochenko, CEO of cybersecurity company ImmuniWeb, told Cointelegraph.
In February 2024, it was reported that people can successfully bypass crypto exchange KYC verification walls by generating passports using AI. Then in October 2024, another AI service popped up to add a video generation tool to bypass crypto KYC checks. This highlights the ongoing challenges with KYC systems and the need for more effective solutions.
A Call to Scrap KYC
Some users have called for KYC to be scrapped and replaced with modern innovations, like zero-knowledge (ZK) tech. This would allow a party to prove to another that the information is true without the need to reveal underlying data. "The problem is that exchanges and many Web3 companies are all doing KYC independently, over and over again. But if I could verify my identity once and then use that service to provide a zero-knowledge proof of identity, that would be so much better," Lisa Loud, executive director of Secret Foundation, said.
Loud is an advocate of ZK technology, which can enhance privacy while satisfying identity verification requirements. However, even she admits that the technology cannot be implemented immediately due to its heavy computational needs and expenses.
The Future of KYC
Despite the security incident, Kolochenko said KYC will continue to persist across borders despite its flaws. "KYC is here to stay, and regulators won't lower the bar. If anything, they'll raise it. Without it, crypto risks becoming a tool for every imaginable crime," he said.
However, this raises questions about the effectiveness of KYC systems in protecting users' privacy. TechCrunch and Arrington Capital founder Michael Arrington said on X that the leaked information may put users at physical risk. The breach has also set off fears about user safety, as data on home addresses were included in the leak.
"Turn on paranoid mode — in a good sense. Update everything. Enable 2FA. Never trust an incoming call asking for your seed phrase," Kolochenko advised. While crypto users are left scrambling to reclaim their privacy, regulators and exchanges remain locked in a compliance-first mindset that demands submission of personal data.