Coinbase leak puts KYC in the limelight

The leak, shared by Coinbase on Thursday and documented in a K-8 filing, revealed how overseas support staff were corrupted by bad actors into stealing information, including home addresses, government IDs, and bank account details.

Several crypto executives took to X to call for know-your-customer (KYC) protocols to be scrapped following reports that leading U.S. exchange Coinbase (NASDAQ:COIN) had disclosed its staff were accepting bribes and leaking users’ personal data.

This new data leak, which was shared by Coinbase on Thursday and documented in a K-8 filing, saw how overseas-based support staff were corrupted by bad actors into stealing information—including home addresses, government I.D. and bank account details—which was then leaked to individuals planning to use it for social engineering scams designed to steal user funds.

This may yet cost Coinbase between $180 million and $400 million in reimbursements, while the exchange is also having to deal with the fallout from the Securities and Exchange Commission reportedly launching an investigation into whether the firm exaggerated its user numbers.

But to add further insult to injury, the CEO of crypto analytics firm Nansen, Alex Svanevik, called for Donald Trump to “dismantle” the KYC and anti-money-laundering (AML) “complex.”

Coinbase just proved again why centralized data honeypots are a disaster waiting to happen. KYC means handing over your identity to be leaked, sold, or extorted.The combination of data exposed here (real life addresses, crypto addresses and amount and real life id documents) is… pic.twitter.com/ZeOwpChZxO

— Alex (@alex_svt) August 25, 2023

KYC checks involve verifying a user’s identity via various pieces of documentation. This can include government I.D., passports and utility bills.

However, as Svanevik says, all this does is compromise personal data for regular people—at an immense personal cost and in an endeavor that practically no real criminals are ever likely to be caught by.

Coinbase leak puts KYC in the limelight

Svanevik is one of a number of high-profile crypto figures to criticize KYC measures. Indeed, Wintermute CEO Evgeny Gaevoy said that the fact Coinbase didn't disclose the leak sooner is "the dark side of the idiotic and nonsensical KYC/AML regime we live in."нон-sense. they could have disclosed it ealier

The good news is that the combo of data exposed here (real life addresses, crypto addresses and amount and real life id documents) is small enough that it seems like they're talking about a small number of targets. The bad news is that it seems like they're talking about a small number of targets.

This is a mashup of several news articles but I highly recommend reading the full K-8 filing, it's quite interesting and an interesting perspective on the events that unfolded.

Really interesting to see how the narrative is unfolding on the Coinbase K-8 filing. It seems like there's a common theme emerging: surprise at the lack of urgency from Coinbase to disclose the scam earlier. Here's a round-up of some reactions and analysis: pic.twitter.com/8jW8m67f8u

Bitcoin wallet firm Nunchuk_io, meanwhile, responded by calling it a disaster that "can happen to anyone."

"This is why we don’t collect KYC by default. It’s one more attack vector for people to use against you," added Nick Neuman, the CEO of wallet firm Casa.

Crypto sleuth ZachXBT has also criticized KYC protections in the past, and highlighted how criminals are able to buy accounts fitted with verified KYC credentials in order to bypass checks.

In 2023, Europol shuttered a criminal marketplace that sold the KYC credentials of over 2 million people. Some, however, like Gaevoy, believe KYC can still exist in the form of zero-knowledge proofs, a crypto-based technology that allows information to be verified without revealing the actual information enclosed.