Coinbase Data Breach Fuels Debate on KYC Requirements

Coinbase’s recent data breach has sparked renewed calls to remove Know Your Customer (KYC) requirements in licensed cryptocurrency exchanges. In December 2024, illicit actors bribed the exchange’s overseas customer service agents to gain access to the personal information of 70,000 users. In May, Coinbase admitted that hackers had obtained data such as government-issued ID photos and home addresses.

Critics argue that KYC requirements, designed to curb fraud, money laundering, and terrorism financing, have become a flawed gatekeeper. In practice, everyday users end up exposed while determined attackers find ways around the system. Ilia Kolochenko, CEO of a cybersecurity company, noted that anyone can generate a fake US passport or diploma from a leading law school, and 50% of businesses with identity checks are likely bypassable with generative AI. In February 2024, it was reported that people can successfully bypass crypto exchange KYC verification walls by generating passports using AI. Then in October 2024, another AI service popped up to add a video generation tool to bypass crypto KYC checks.

In 2023, a renowned blockchain detective shared details of a demonstration where he bypassed Gate.io’s verification system using a fake identity under the name of a North Korean leader. He said it took him just minutes to do so. This test of weak KYC verification wasn’t a one-off, highlighting the vulnerabilities in the current system. Lisa Loud, executive director of a foundation, suspects that her personal data was included in Coinbase’s breach due to the rising frequency of suspicious spam messages she has received. She considers herself lucky in a financial sense, as she doesn’t hold much on the exchange, but she is more concerned about her private information that illicit actors may have access to.

KYC practices originated in the 1970s under the US Bank Secrecy Act and were significantly strengthened after the 9/11 attacks through the USA PATRIOT Act under the “Customer Identification Program.” Crypto emerged much later but increasingly relies on identity verification. Illicit actors can buy stolen identities or KYC-verified accounts on darknet marketplaces, or use advanced tools, like AI, to bypass these verifications with minimal cost. Some users have called for KYC to be scrapped and replaced with modern innovations, like zero-knowledge (ZK) tech. This would allow a party to prove to another that the information is true without the need to reveal underlying data. In theory, it can let regulators tick their compliance boxes while users keep their privacy.

Despite the security incident, Kolochenko said KYC will continue to persist across borders despite its flaws. “KYC is here to stay, and regulators won’t lower the bar. If anything, they’ll raise it. Without it, crypto risks becoming a tool for every imaginable crime,” he said. He declined to classify it as a data breach, noting that customer information was stolen through the bribery of overseas Coinbase staff rather than through infrastructure damage or a technical vulnerability. Regardless of what it’s called, customers’ data has been compromised. There’s little they can do other than follow best practices to maintain a clean digital footprint.

Loud is an advocate of ZK technology, which can enhance privacy while satisfying identity verification requirements. But even she admits that the technology cannot be implemented immediately due to its heavy computational needs and expenses. While crypto users are left scrambling to reclaim their privacy, regulators and exchanges remain locked in a compliance-first mindset that demands submission of personal data. Loud has been especially cautious since Coinbase’s data leak, which she suspects she was also affected by. She is now considering changing the phone number she’s had for over a decade, as it has suddenly become flooded with Coinbase-related spam messages. The breach has also set off fears about user safety, as data on home addresses were included in the leak. This may put users at physical risk.