Does Crypto Have a KYC Problem? Coinbase Hack, Solana Founder Doxxing Reopen Debate

For privacy-minded crypto users, there may be no three letters more dreaded than "KYC."

The acronym, shorthand for "know your customer," refers to the process of providing personally identifiable information, such as your name and address, to certain service providers, namely cryptocurrency exchanges. In many jurisdictions, including the U.S., it's required by law. And while it may be important, perhaps even crucial, in guarding against illegal activity, KYC comes with risks—both for the companies that collect the data and the individuals who provide it.

Earlier this week, Solana co-founder Raj Gokal and his wife were both doxxed by malicious actors demanding he pay 40 BTC (worth $4.3 million). Gokal says that the photos of his documentation came from a know-your-customer process, but didn't provide details.

Getting doxxed refers to having personal information published online, and in the worst of cases this can include home addresses or bank details. In the world of crypto, with a high number of anonymous and pseudonymous users, the doxxing bar can be as low as just someone’s real name or face. In Gokal’s case, it was photos of his government-issued ID, which included his home address.

This comes two weeks after the biggest centralized crypto exchange in the U.S., Coinbase, revealed it suffered a data breach, resulting in sensitive customer information falling into the hands of hackers. TechCrunch and Arrington Capital founder Michael Arrington predicted this would “lead to people dying,” as a wave of kidnapping attempts sweeps the industry.

Many have speculated that Gokal’s doxxing came as a result of the Coinbase breach, although it hasn’t been confirmed. The incident, nevertheless, has made crypto users wary of being forced to identify themselves to exchanges.

After all, KYC processes can often involve requiring users to provide photos of their passport, proof of address, and a photo of themselves holding an ID. And with crypto kidnappings on the rise—following a number of high-profile cases in France, the U.S., and elsewhere—users are fearful that hackers could steal their KYC information and lead attackers to their front doors.

“When a platform collects too much KYC , it becomes a target," Nick Vaiman, co-founder and CEO of Bubblemaps, told Decrypt. "Once attackers get access to that data, they can launch highly targeted phishing attacks, or worse, use your personal info to find you in real life and rob you directly,” he said. “KYC data creates risk. The more data you hold, the bigger the target you become.”

But a future without KYC simply isn’t realistic, said Bubblemaps co-founder and COO Arnaud Droz. As such, it's like to continue as perhaps a "necessary evil" to prevent on-chain criminal activity.

Third Arrest Made in High-Profile Kidnapping of Bitcoin Investor in New York

A third person was arrested in New York on Tuesday as part of a weeks-long manhunt to apprehend those responsible for the violent kidnapping plot of a Bitcoin investor. William Duplessie, alongside John Woeltz, has been charged with allegedly abducting an unnamed 28-year-old Italian businessman, holding him captive in an upscale Manhattan apartment for two weeks. The pair allegedly tortured the businessman by electric shocks, physical beatings, and threats with a firearm, in an attempt to obtain...

“KYC is a crucial tool not just for regulatory compliance, but for crime prevention,” Slava Demchuk, CEO of compliance firm AMLBot, told Decrypt. “While sophisticated criminals may still find ways around it, KYC introduces friction that makes their operations harder—and when paired with other [anti-money laundering] measures like transaction monitoring and screening, it becomes a powerful defense.”

Due to this important function, KYC is required by law in most jurisdictions. That includes the U.S., which requires it under the USA Patriot Act of 2001. 

Despite its virtues, there has been an increase of industry leaders vocally pushing back against KYC requirements following the Coinbase hack. Erik Voorhees, founder of cryptocurrency exchange ShapeShift, called state-enforced KYC a crime on social media. Coinbase CEO Brian Armstrong agreed with him.

“The core issue is that if you’re a scammer, it’s not hard to bypass the system,” Vaiman added. “You can simply buy fake KYC or use someone else’s. And with the rise of AI, generating fake identities is becoming even easier, making the entire system weak. KYC doesn’t stop bad actors and creates friction for honest users,” he said.

But if the system, though necessary, is flawed, then what can be done about it?

 Artificial Intelligence

People Are Using Basic AI to Bypass KYC —But Should You?

Common controls in place to fight financial fraud—anti-money laundering (AML) measures and know-your-customer (KYC) requirements—may have met their match in AI. An underground service called OnlyFake is leveraging "neural networks" to craft high-quality fake IDs, and according to a 404 Media report, anyone can get instantly generated fake IDs with startling realism for just $15, potentially facilitating a range of illicit activities. The original OnlyFake Telegram account, its primary customer-f...

“We're seeing innovative solutions like zero-knowledge privacy and theoretical zero-knowledge-KYC implementations,” Jeff Feng, co-founder of layer-1 blockchain developer Sei Labs, told Decrypt. “But we have to be realistic—financial systems need safeguards against illicit activity.”

Zero-knowledge proofs, often called ZK-proofs, are a type of cryptography that allows a user to prove something, such as proving they don't live within a sanctioned country, without revealing the information directly to the receiver. 

Demchuk of AMLBot believes ZK-KYC is a great privacy-preserving feature but would be very hard to implement, since it would require significant regulatory changes in the E.U., for instance. That’s because GDPR regulations require data controllers, an exchange in this case, to store data related to the KYC process for five years. ZK-KYC would prevent the exchange from ever touching the data, let alone storing it for five years.

Why Wall Street Won’t Embrace Crypto Without Zero-Knowledge Privacy

When you pay with a stablecoin like USDC, you may be giving up more than just money.  As long as you’re transacting on a public blockchain, a merchant—or anyone, for that matter—can view your wallet, analyze your past transactions, and use or sell your personal financial history. This feature isn’t a minor inconvenience. It’s why serious institutions, from major banks to government entities, hesitate to adopt blockchain technology.  Financial entities, corporations, and sovereign funds would be...

Regardless of how the industry evolves on KYC, some users believe that the issue is emblematic of a more existential problem.

“The ability to transact anonymously is bedrock to cryptocurrency as a revolutionary technology resisting the invasive state,” Charlotte Fang, the pseudonymous founder of Remilia Corporation, told Decrypt. "Crypto as an industry has strayed from the basic premises of the cypherpunk movement, not just in KYCs by exchanges in their pursuit for adoption, but as a culture."

Privacy advocates believe in complete anonymity when transacting on blockchain networks, while regulators continue to fight against this. Then again, with the U.S. Treasury lifting sanctions on the privacy-preserving Ethereum coin mixer Tornado Cash earlier this year, it's possible that the tides—at least in D.C.—could be turning.