Coinbase data hack sparks calls to scrap KYC

Coinbase’s current data breach is prompting renewed calls to take away Know Your Buyer (KYC) necessities in licensed cryptocurrency exchanges.

Illicit actors bribed the trade’s abroad customer support brokers in December 2024 to achieve access to the personal information of 70,000 customers. In Could, Coinbase admitted that hackers had obtained data resembling government-issued ID photographs and residential addresses.

“All this safety theater wants to be abolished asap. Repeatedly it solely advantages hackers and extortionists,” said pseudonymous developer Banteg on X. “KYC really permits crime.”

Nonetheless, it’s not possible for exchanges to merely flip their backs on KYC, as it’s a regulatory mandate in a number of jurisdictions. In the meantime, privacy-enhancing options like zero-knowledge (ZK) proofs stay restricted by value and technical complexity.

KYC turns into flawed gatekeeper for Coinbase

Coinbase’s newest data scandal locations the Nasdaq-listed firm on the spot. However the concern applies to all centralized crypto platforms working beneath regulatory licenses worldwide. Centralized exchanges now acquire and handle passport scans, authorities IDs, selfies and even utility payments from customers who simply need to commerce.

KYC was designed to curb fraud, cash laundering and terrorism financing. However in follow, it’s on a regular basis customers who find yourself uncovered whereas decided attackers discover methods across the system. 

“Anybody is in a position to generate a faux US passport or diploma from a number one regulation faculty. And 50% of companies with id checks are seemingly bypassable with generative AI,” Ilia Kolochenko, CEO of cybersecurity firm ImmuniWeb, instructed Cointelegraph.

In February 2024, it was reported that folks can efficiently bypass crypto trade KYC verification partitions by generating passports using AI. Then in October 2024, one other AI service popped up to add a video technology device to bypass crypto KYC checks.

Associated: AI agents are poised to be crypto’s next major vulnerability

In 2023, famend blockchain detective ZachXBT shared particulars of an indication the place he bypassed Gate.io’s verification system utilizing a faux id beneath the identify of North Korean chief “Kim Jong-Un.” He mentioned it took him simply minutes to achieve this.

Lisa Loud, government director of Secret Basis, suspects that her private data was included in Coinbase’s breach due to the rising frequency of suspicious spam messages she has acquired.

“Simply yesterday, I received 5 texts about Coinbase, saying somebody was making an attempt to entry my 2FA or withdraw funds,” Loud instructed Cointelegraph. “The entire level of Web3 is to transfer past the issues of Web2, not to repeat them.”

In a monetary sense, she considers herself fortunate, as she doesn’t maintain a lot on the trade. She’s extra involved about her personal info that illicit actors might have entry to.

Coinbase highlights how Web2 KYC fails Web3 customers

KYC was not designed with crypto in thoughts, nevertheless it’s now a cornerstone of how regulators pressure the rising business to play by conventional guidelines.

“The issue just isn’t that we’re KYC-ing folks; it’s that we’re doing it the Web2 means and never the brand new means,” mentioned Loud. “Their aim is to tighten their danger mannequin. It is smart from a enterprise perspective — nevertheless it’s fully unfair to customers.”

Associated: Violent crypto robberies on the rise: Six attacks that targeted investors

KYC practices originated within the Seventies beneath the US Financial institution Secrecy Act and have been considerably strengthened after the 9/11 assaults by the USA PATRIOT Act beneath the “Buyer Identification Program.”

Crypto emerged a lot later however more and more depends on id verification. Illicit actors should purchase stolen identities or KYC-verified accounts on darknet marketplaces, or use superior instruments, like AI, to bypass these verifications with minimal value.

Some customers have known as for KYC to be scrapped and changed with trendy improvements, like zero-knowledge (ZK) tech. This could permit a celebration to show to one other that the data is true with out the necessity to reveal underlying data. In concept, it could possibly let regulators tick their compliance bins whereas customers hold their privateness.

“The issue is that exchanges and plenty of Web3 firms are all doing KYC independently, time and again. But when I might confirm my id as soon as after which use that service to present a zero-knowledge proof of id, that will be so a lot better,” Loud mentioned.

Coinbase scandal received’t push KYC away

Although trendy blockchain-based options can enhance privateness whereas verifying person identities, Kolochenko mentioned KYC will proceed to persist throughout borders regardless of its flaws.

“KYC is right here to keep, and regulators received’t decrease the bar. If something, they’ll increase it. With out it, crypto dangers turning into a device for each conceivable crime,” he mentioned.

Regardless of the safety incident, Kolochenko declined to classify it as a data breach, noting that buyer info was stolen by the bribery of abroad Coinbase workers fairly than by infrastructure harm or a technical vulnerability.

No matter what it’s known as, prospects’ data has been compromised. There’s little they’ll do aside from comply with greatest practices to keep a clear digital footprint.

Bodily crime towards crypto house owners is on the rise.

“Activate paranoid mode — in a great sense. Replace every little thing. Allow 2FA. By no means belief an incoming name asking in your seed phrase,” Kolochenko mentioned.

Loud is an advocate of ZK know-how, which might improve privateness whereas satisfying id verification necessities. However even she admits that the know-how can’t be carried out instantly due to its heavy computational wants and bills.

Whereas crypto customers are left scrambling to reclaim their privateness, regulators and exchanges stay locked in a compliance-first mindset that calls for submission of non-public data.

Loud has been particularly cautious since Coinbase’s data leak, which she suspects she was additionally affected by. She is now contemplating altering the cellphone quantity she’s had for over a decade, because it has abruptly develop into flooded with Coinbase-related spam messages.

The breach has additionally set off fears about person security, as data on house addresses have been included within the leak. TechCrunch and Arrington Capital founder Michael Arrington said on X that the leaked info might put customers at bodily danger.

Journal: Coinbase hack shows the law probably won’t protect you: Here’s why