Solana Co-Founder Doxxed After KYC Data Leak

Privacy-conscious crypto users often dread the acronym "KYC," which stands for "know your customer." This process involves providing personally identifiable information, such as names and addresses, to cryptocurrency exchanges, a requirement in many jurisdictions, including the U.S. While KYC is crucial for preventing illegal activities, it poses risks for both companies collecting the data and individuals providing it.

Earlier this week, Solana co-founder Raj Gokal and his wife were doxxed by malicious actors demanding 40 BTC (worth $4.3 million). Gokal revealed that the photos of his documentation came from a know-your-customer process, although he did not provide specific details. Doxxing involves publishing personal information online, which can include home addresses or bank details. In the crypto world, even a real name or face can be enough to doxx someone. In Gokal’s case, it was photos of his government-issued ID, which included his home address.

This incident follows a data breach at Coinbase, the largest centralized crypto exchange in the U.S., where sensitive customer information was compromised. The breach has raised concerns among crypto users about the security of their personal information when interacting with exchanges. Many speculate that Gokal’s doxxing may be linked to the Coinbase breach, although this has not been confirmed. The incident has heightened fears among users about the risks associated with KYC processes.

KYC processes often require users to submit photos of their passport, proof of address, and a photo of themselves holding an ID. With crypto kidnappings on the rise, users are increasingly worried that hackers could steal their KYC information and use it to target them. Nick Vaiman, co-founder and CEO of Bubblemaps, highlighted the risks, stating that platforms collecting too much KYC data become attractive targets for attackers. Once attackers gain access to this data, they can launch targeted phishing attacks or even use the information to find and rob individuals in real life.

Despite the risks, a future without KYC is not realistic, according to Bubblemaps co-founder and COO Arnaud Droz. KYC remains a "necessary evil" to prevent on-chain criminal activity. Slava Demchuk, CEO of compliance firm AMLBot, emphasized that KYC is a crucial tool for regulatory compliance and crime prevention. While sophisticated criminals may find ways around it, KYC introduces friction that makes their operations harder. When paired with other anti-money laundering measures, it becomes a powerful defense.

KYC is required by law in most jurisdictions, including the U.S., under the USA Patriot Act of 2001. However, following the Coinbase hack, industry leaders have vocally pushed back against KYC requirements. Erik Voorhees, founder of cryptocurrency exchange ShapeShift, called state-enforced KYC a crime on social media, a sentiment echoed by Coinbase CEO Brian Armstrong. Vaiman added that the system is flawed because scammers can bypass it by using fake KYC or someone else’s information. With the rise of AI, generating fake identities is becoming easier, making the entire system weak and creating friction for honest users.

Innovative solutions like zero-knowledge privacy and theoretical zero-knowledge-KYC implementations are being explored. Zero-knowledge proofs, or ZK-proofs, allow users to prove something without revealing the information directly to the receiver. Demchuk believes ZK-KYC is a great privacy-preserving feature but would be hard to implement due to significant regulatory changes required, such as those in the E.U. under GDPR regulations.

Some users view the KYC issue as emblematic of a more existential problem within the crypto industry. Charlotte Fang, the pseudonymous founder of Remilia Corporation, argued that the ability to transact anonymously is fundamental to cryptocurrency as a revolutionary technology resisting invasive state control. The industry has strayed from the basic premises of the cypherpunk movement, not just in KYCs by exchanges but as a culture. Privacy advocates believe in complete anonymity in transacting on blockchain networks, while regulators continue to fight against this. However, with the U.S. Treasury lifting sanctions on the privacy-preserving Ethereum coin mixer Tornado Cash earlier this year, there may be a shift in regulatory attitudes towards privacy in the crypto space.