KYC Is Outdated Security Theater

Every company that collects your identity documents is making a bet. They're betting they won't get hacked. They're betting their third-party vendors won't get hacked. They're betting that insider threats don't exist. They're betting that the data they collected "for your security" won't be used against you.

History shows that this bet has losing odds.

The argument for KYC (Know Your Customer) is always the same: "We need your government ID, your selfie, your home address, and your phone number... for security." This is total backwards logic.

Collecting sensitive identity documents doesn't make users safer. It makes them targets. It creates honeypots that hackers, insiders, and state actors actively seek to exploit. And when those honeypots inevitably breach? The people who handed over their data pay the price.

Let me show you exactly how bad it's gotten.

The Breach Hall of Fame

These aren't hypotheticals. These aren't "what ifs." This is what happens when companies collect identity documents they don't need.

Discord (October 2025)

Discord collected government IDs for age verification. A third-party vendor got compromised. Result: 70,000 government ID photos exposed. The hackers claimed to have over 2.1 million passport and driver's license images and demanded ransom.

The Electronic Frontier Foundation's released a blunt statement at the beginning of the year: "Mandatory age verification tools are surveillance systems that threaten everyone’s rights to speech and privacy, and introduce more harm than they seek to combat."

Discord's defense? "It wasn't us, it was a third party." As if that matters to the people whose passports are now on hacker forums.

548

Ledger (2020) : "When it got Physical"

Ledger, the cryptocurrency hardware wallet company, collected customer shipping addresses for order fulfillment. Reasonable enough - until they got breached.

1.1 million email addresses and 272,000 records with full names, phone numbers, and home addresses leaked. The data was dumped publicly online. Here's what happened next:

- Victims received threatening messages demanding $700-$1,000 in Bitcoin, warning that refusal could lead to home invasions
- Some customers and even Ledger executives faced attempted home invasions and kidnapping risks
- Victims started receiving tampered hardware wallets in the mail

The breach cost Ledger over $33 million in remediation. The cost to users? Incalculable. I would bet some are still being targeted years later.

Coinbase (2024-2025)

In December 2024, hackers bribed a Coinbase employee in India to leak sensitive customer data. 70,000 customers affected. Estimated cost: up to $400 million.

The stolen data included government-issued IDs, home addresses, and other KYC documents. A former customer service agent was arrested, but the data is already out there, might as well give a medal to the responsible employee instead of arresting them.

This wasn't a sophisticated zero-day exploit. It was someone with access getting bribed. Every company with KYC data has employees with access.

MobiKwik (2021) : "The Largest KYC Leak in History"

A white hat hacker discovered what they called "probably the largest KYC data leak in history": 8.2 terabytes of data from the Indian mobile payment app.

The haul included:

ID scans, passports, Aadhar cards, PAN cards
Selfies used for identity verification
Emails, phone numbers, addresses
99 million records with GPS locations and apps installed
3 million merchant KYC documents

All of it was for sale on hacking forums for 1.5 BTC.

Hetzner (2017, 2018, and counting)

The hosting company that requires extensive KYC has been breached twice in a single year. Customer data exposed included:

Names, email addresses, phone numbers
Physical addresses
Identity numbers
Bank account numbers
VAT numbers

Their breach history goes back to at least 2013. And they're still requiring all that data from new customers.

The List Goes On

More KYC Disasters:

• Transak (2024): 92,554 users' government IDs and selfies stolen
  via phishing attack on ONE employee
  Source

• Indian Financial Institutions (2025): 500GB of KYC data exposed
  through a misconfigured storage bucket
  Source

• UK KYC Documents (2025): 1GB of selfies, IDs, passports,
  driver's licenses dumped on dark web forums
  Source

• Signzy (2024): Major KYC provider breached, customer data
  from banks appeared on dark web
  Source

• NCX Exchange (2025): 2+ million records leaked including
  KYC documents and internal keys
  Source

• Binance (2019): 10,000+ KYC photos allegedly stolen,
  hacker demanded 300 BTC ransom
  Source

• MOVEit Hack (2023): 2.85 million KYC records stolen
  from 60 banks in a single attack
  Source

Notice a pattern? It's not IF your KYC data gets leaked. It's WHEN.

Destroying the "Security" Argument

The standard defense of KYC goes something like this: "We collect this data to protect you from fraud and ensure platform security."

Let's examine that claim.

Claimed Purpose          | Actual Result
-------------------------|------------------------------------------
"Prevent fraud"          | Creates fraud vectors via data breaches
"Account security"       | Enables account takeover via leaked data
"Verify identity"        | Identities get stolen and misused
"Regulatory compliance"  | User data becomes regulatory liability
"Protect users"          | Users get extorted, phished, robbed

The Pattern:
1. Company collects KYC data "for security"
2. Company stores KYC data (or gives it to third party)
3. Breach occurs (hack, insider threat, misconfiguration)
4. Users' "secure" data is now in criminal hands
5. Users face identity theft, phishing, physical threats
6. Company issues apology, offers credit monitoring
7. Repeat

In 2024, finance overtook healthcare as the most hacked industry, accounting for about 152 million data breach records. More than 60% of compliance officers now report data breaches as a top stressor.

On top of this, I can't help but bring up the following argument : KYC doesn't stop sophisticated criminals. 404 Media reported that half of identity checks can now be bypassed with AI-generated fake IDs.

KYC catches honest people. Criminals use synthetic identities, stolen documents, and AI-generated faces. The system punishes the legitimate users while barely inconveniencing the bad actors.

Destroying the "Law Enforcement" Argument

The second argument is always: "If we didn't collect KYC, what would we do when law enforcement asks for customer information?"

I brought this up in a previous post, and here am I bringing it up again : this is where the Mullvad story becomes relevant.

In April 2023, Swedish police raided Mullvad VPN's offices with a search warrant. They wanted user data. Customer information. Connection logs. Anything they could get.

They left empty-handed.

Not because Mullvad refused to cooperate. Not because they destroyed evidence. But because there was no data to give. Mullvad's entire identity system is a randomly generated account number. No email. No name. No records. The architecture made compliance impossible.

Lesson: You can't leak what you don't collect.

Companies such as Hetzner and Discord don't have to go around requesting personal information from their customers. If abuse and bots are a problem on their platform, the solutions are simple :

Abuse on Hetzner servers / IP ranges : Process abuse reports and/or close customer account. End of story.
Bots on Discord : Encourage users to report spam and pay humans to review those abuse reports. And don't come complaining when your automated moderator AI starts banning people for false reports, I did say pay humans to review the reports, but that's a story for another day.

Law enforcement has plenty of tools. They don't need every cloud provider to become an identity honeypot. The companies that require extensive KYC aren't doing it because law enforcement demands it, they're probably doing it because they can't be arsed to update their platforms, even after being proven time and time again that KYC is a huge liability and nearly useless.

The Honeypot Problem

Here's the fundamental issue that KYC proponents refuse to address:

Every database of identity documents is a target. The more valuable the data, the bigger the target. Government IDs, passports, and biometric selfies are the most valuable data that exists.

When you require KYC, you're not just storing data. You're painting a bullseye on your infrastructure. Hackers, insiders, and state actors all want what you're holding.

And it's not just external threats. The Coinbase breach happened because someone got bribed. The data exists, so it can be sold. The 2025 Verizon Data Breach Investigations Report found that 30% of breaches now involve third-party vendors.

You can have the best security team in the world. You can encrypt everything. You can audit constantly. But you cannot eliminate:

Insider threats (employees can be bribed, blackmailed, or go rogue)
Third-party vendor risks (you're only as secure as your weakest vendor)
Zero-day exploits (new vulnerabilities are discovered constantly)
Social engineering (humans are always the weakest link)
State-level actors (some adversaries have unlimited resources)

The only way to eliminate the risk of leaking identity documents is to not collect them in the first place.

The Real Consequences

Let's talk about what actually happens to real people when their KYC data leaks:

From the Ledger breach:

"We know you have Bitcoin. We know where you live.
Pay us $800 or we're coming to your house."

— Actual extortion message sent to Ledger customers

From leaked KYC data in general:

• Identity theft (opening fraudulent accounts in your name)
• SIM swapping attacks (taking over your phone number)
• Targeted phishing (attackers know exactly what services you use)
• Physical robbery (they know you have crypto AND where you live)
• Synthetic identity fraud (your documents used to create fake identities)
• Bypassing KYC on other platforms (using YOUR stolen docs)
• Long-term surveillance (your data never expires)

"Wrench attacks" — physical robberies targeting cryptocurrency holders — are on the rise in 2025. Criminals are using leaked KYC data to identify targets and locate their homes. Unlike a hacked password, you can't change your face or your fingerprints.

When a password leaks, you change it. When your government ID leaks, you're compromised for life.

What Real Security Looks Like

Here's the alternative that privacy-respecting services have proven works:

The No-KYC Architecture:

Authentication:
- Random credential (account number, API key, etc.)
- No email (can't be phished, can't be leaked)
- No phone (can't be SIM swapped)
- No identity documents (can't be stolen)

What gets stored:
- Credential hash
- Account balance/status
- Active services

What doesn't get stored:
- Real name
- Email address
- Phone number
- Physical address
- Government ID
- Selfies
- IP logs
- Usage analytics

Result when breached:
- Random hashed strings leak
- No identity connection
- Nothing to extort with
- No physical threats possible

This isn't theoretical. Mullvad has been operating this way for years. When they got raided, users were protected not by Mullvad's security team, but by the architecture itself.

The best data protection is data minimization.

The Trade-Off They Won't Tell You About

Every service that requires KYC is making an implicit trade-off on your behalf:

"We're trading your long-term security for our short-term convenience."

E-mails are a "pseudo-standard" for registration on online platforms, But even after thousands of data breaches, it seems like most platforms have not learned their lesson. It's easier to demand a phone number than to implement proper 2FA. It's easier to collect government IDs than to accept the legal complexity of not having them.

But "easier for the company" isn't the same as "better for the user."

Yes, credential-based systems have trade-offs. Lose your credential, lose your account. No recovery process. No "verify your identity" workflow. That's the cost of actual privacy.

But consider the alternative: Give up your government ID, and when (not if) it leaks, deal with identity theft for the rest of your life. Get extortion emails. Wonder if someone's going to show up at your door.

I know which trade-off I'd choose.

The Bottom Line

KYC is outdated security theater that makes users less safe.
Every database of identity documents will eventually breach.
The only winning move is not to collect the data.

Companies that require your government ID, your selfie, your home address "for security" are creating the very vulnerabilities they claim to prevent. They're building honeypots and calling it compliance. They're collecting ammunition against their own users and calling it protection.

Real security isn't about collecting more data. It's about collecting less. It's about building systems that can't betray users even when they fail. It's about architecture that makes breaches meaningless.

Stop giving your identity to companies that will eventually lose it.

Everything else is just waiting for your passport to show up on a hacker forum.