Is KYC Really That Safe?

KYC – Know Your Customer – is the customer verification process that lets your bank or crypto exchange know who you are. It’s supposed to protect you from bad actors and allows authorities to track transactions, but the recent hack of Coinbase where criminals bribed and recruited a group of rogue overseas support agents to steal customer data is a worrying example of how things can go wrong.

In a statement this week, Coinbase said it received an email from an unknown source demanding $20 million to keep the breach of its internal data secret. Coinbase refused to pay the ransom demand. “Instead, we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.”

This leak of data was used for social engineering attacks, involving impersonation, deception, and psychological manipulation intended to get the victim to divulge confidential information, such as bank account numbers and passwords.

eSecurity Planet says Coinbase disclosed in a US Securities and Exchange Commission (SEC) 8-K filing that the breach could cost the company between $180 million and $400 million in remediation and “voluntary customer reimbursements.”

To prevent future incidents, the company has announced a series of measures:

• A new support hub to be opened in the US
• Stronger security controls and monitoring
• Extra ID checks and scam-awareness prompts for suspicious accounts
• Increased investment in insider threat detection.

This is the problem when you have a centralised hub for customer data. Coinbase requires re-verification every three months, and that exposes customer data repeatedly.

One solution proposed is Decentralised Identifiers (DIDs) and Self-Sovereign Identity (SSI). DIDs allow users to control their identity via cryptographic keys, storing data on decentralised networks rather than centralised servers. SSI lets users share only necessary data, such as age, without giving their full ID.

While no passwords or private keys were accessed, the attackers obtained full names, addresses, contact details, partial Social Security and bank account numbers, and identity documents, wrote Susie Ward of Bitcoin Policy UK. “This is the kind of data that can be weaponised for identity theft, fraud, or worse.”

“While KYC and compliance frameworks are presented as security features, they often do the opposite. They create massive, centralised honeypots of personal data that can and do get breached, sold, or exploited.”

We’ve seen what can happen when that data gets into the wrong hands, Ward goes on to explain. Earlier this year, David Balland, the co-founder of Ledger, was kidnapped along with his wife. His captors cut off one of his fingers and sent it to a business associate to demand crypto ransom. He was rescued by French special forces, but the message was clear: real-world consequences are now linked to digital identity exposure. A ransom in cryptocurrency was paid during the kidnapping of the Ledger co-founder, but quickly recouped by investigators, according to Reuters.

“We need better solutions that don’t force users to sacrifice privacy and safety for access.”

Compliance shouldn’t come at the cost of security.

French crypto exchange Paymium criticised European regulations like the international "travel rule" which requires data to be collected about the source and recipient of crypto transfers. Meanwhile, crypto bosses are reported to be taking security into their own hands and hiring bodyguards (Reuters).

Contact 80eight. If making or moving money (including bitcoin or stablecoins) is your game, we’ve got you covered. Let us guide you on your journey to debt-free prosperity.