Coinbase’s recent data breach is prompting renewed calls to remove Know Your Customer (KYC) requirements in licensed cryptocurrency exchanges.

Illicit actors bribed the exchange’s overseas customer service agents in December 2024 to gain access to the personal information of 70,000 users. In May, Coinbase admitted that hackers had obtained data such as government-issued ID photos and home addresses.

“All this security theater needs to be abolished asap. Time and again it only benefits hackers and extortionists,” said pseudonymous developer Banteg on X. “KYC actually enables crime.”

However, it’s not feasible for exchanges to simply turn their backs on KYC, as it is a regulatory mandate in several jurisdictions. Meanwhile, privacy-enhancing alternatives like zero-knowledge (ZK) proofs remain limited by cost and technical complexity.

The major data scandal barely dented Coinbase’s stock performance in May. Source: Nasdaq

KYC becomes flawed gatekeeper for Coinbase

Coinbase’s latest data scandal places the Nasdaq-listed company on the spot. But the concern applies to all centralized crypto platforms operating under regulatory licenses worldwide. Centralized exchanges now collect and manage passport scans, government IDs, selfies or even utility bills from users who just want to trade.

KYC was designed to curb fraud, money laundering and terrorism financing. But in practice, it’s everyday users who end up exposed while determined attackers find ways around the system. 

“Anyone is able to generate a fake US passport or diploma from a leading law school. And 50% of businesses with identity checks are likely bypassable with generative AI,” Ilia Kolochenko, CEO of cybersecurity company ImmuniWeb, told Cointelegraph.

In February 2024, it was reported that people can successfully bypass crypto exchange KYC verification walls by generating passports using AI. Then in October 2024, another AI service popped up to add a video generation tool to bypass crypto KYC checks.

Related: AI agents are poised to be crypto’s next major vulnerability

In 2023, renowned blockchain detective ZachXBT shared details of a demonstration where he bypassed Gate.io’s verification system using a fake identity under the name of North Korean leader “Kim Jong-Un.” He said it took him just minutes to do so.

The crypto detective’s test of weak KYC verification wasn’t a one-off. Source: ZachXBT

Lisa Loud, executive director of Secret Foundation, suspects that her personal data was included in Coinbase’s breach due to the rising frequency of suspicious spam messages she has received.

“Just yesterday, I got five texts about Coinbase, saying someone was trying to access my 2FA or withdraw funds,” Loud told Cointelegraph. “The whole point of Web3 is to move beyond the problems of Web2, not to repeat them.”

In a financial sense, she considers herself lucky, as she doesn’t hold much on the exchange. She’s more concerned about her private information that illicit actors may have access to.

Coinbase highlights how Web2 KYC fails Web3 users

KYC was not designed with crypto in mind, but it’s now a cornerstone of how regulators force the emerging industry to play by traditional rules.

“The problem is not that we’re KYC-ing people; it’s that we’re doing it the Web2 way and not the new way,” said Loud. “Their goal is to tighten their risk model. It makes sense from a business perspective — but it’s completely unfair to users.”

Related: Violent crypto robberies on the rise: Six attacks that targeted investors

KYC practices originated in the 1970s under the US Bank Secrecy Act and were significantly strengthened after the 9/11 attacks through the USA PATRIOT Act under the “Customer Identification Program.”

Crypto emerged much later but increasingly relies on identity verification. Illicit actors can buy stolen identities or KYC-verified accounts on darknet marketplaces, or use advanced tools, like AI, to bypass these verifications with minimal cost.

A study tests 300 dark web links to find 12 sites selling KYC-verified accounts in money transfer platforms. Source: CertiK

Some users have called for KYC to be scrapped and replaced with modern innovations, like zero-knowledge (ZK) tech. This would allow a party to prove to another that the information is true without the need to reveal underlying data. In theory, it can let regulators tick their compliance boxes while users keep their privacy.

The data leak at one of the maturest crypto exchanges sparked a rally against KYC practices. Source: Francisco CalderĂłn

“The problem is that exchanges and many Web3 companies are all doing KYC independently, over and over again. But if I could verify my identity once and then use that service to provide a zero-knowledge proof of identity, that would be so much better,” Loud said.

Coinbase scandal won’t push KYC away

Though modern blockchain-based solutions can improve privacy while verifying user identities, Kolochenko said KYC will continue to persist across borders despite its flaws.

“KYC is here to stay, and regulators won’t lower the bar. If anything, they’ll raise it. Without it, crypto risks becoming a tool for every imaginable crime,” he said.

Despite the security incident, Kolochenko declined to classify it as a data breach, noting that customer information was stolen through the bribery of overseas Coinbase staff rather than through infrastructure damage or a technical vulnerability.

Regardless of what it’s called, customers’ data has been compromised. There’s little they can do other than follow best practices to maintain a clean digital footprint.

Physical crime against crypto owners is on the rise.

“Turn on paranoid mode — in a good sense. Update everything. Enable 2FA. Never trust an incoming call asking for your seed phrase,” Kolochenko said.

Loud is an advocate of ZK technology, which can enhance privacy while satisfying identity verification requirements. But even she admits that the technology cannot be implemented immediately due to its heavy computational needs and expenses.

While crypto users are left scrambling to reclaim their privacy, regulators and exchanges remain locked in a compliance-first mindset that demands submission of personal data.

Loud has been especially cautious since Coinbase’s data leak, which she suspects she was also affected by. She is now considering changing the phone number she’s had for over a decade, as it has suddenly become flooded with Coinbase-related spam messages.

The breach has also set off fears about user safety, as data on home addresses were included in the leak. TechCrunch and Arrington Capital founder Michael Arrington said on X that the leaked information may put users at physical risk.

Magazine: Coinbase hack shows the law probably won’t protect you: Here’s why