Know Your Customer (KYC)
Privacy Risks and Innovation Perspectives
Imagine having to hand over your passport, your face, and your financial information not to a bank, but to a shopping center: an enormous transparent box in the middle of the square. Anyone could look inside. Anyone could try to open it.
This is how Know Your Customer (KYC) works today: a massive collection of identities stored in a few large digital repositories. And like any concentrated treasure, it attracts unwanted attention. When these data are breached—and it happens with increasing frequency—they become the digital equivalent of house keys, a credit card PIN, and a safe combination. An invitation for hackers and criminals.
Know Your Customer (KYC) is now a widespread procedure in banks, financial platforms, and many online services: it collects and verifies personal data to confirm the identity of service users, primarily to prevent money laundering, fraud, and terrorism financing. At first glance, it might seem an inevitable step in the digitalization of society, but behind this practice lie profound risks to individual privacy and personal security.
The Risk of Centralized Databases: A Goldmine for Hackers and Malicious AI
Most KYC providers operate on centralized databases where sensitive documents such as passports, tax identification numbers, biometric data, selfies, and residential addresses are stored for years. These repositories become a “honeypot” for cybercriminals: once compromised, a single attack can expose millions of personal data simultaneously.
A recent discovery by Cybernews revealed an unsecured database linked to IDMerit (a major AI-powered identity verification platform) exposing approximately 1 billion sensitive KYC records across 26 countries, with the United States accounting for over 203 million records.
The fundamental problem is that data necessary for one-time verification are stored on third-party servers for years, multiplying vulnerability points. Every service with which we have completed KYC possesses a copy of our documents, and if one of these is compromised, the exposure can be permanent. Unlike passwords, passport numbers and biometric data cannot be changed.
The Increasing Value of Data: When Information Becomes a Real Threat
In contemporary digital contexts, the danger is not limited to identity documents alone. When financial data, asset information, or digital wallet details are added to these, the value of this aggregated information grows exponentially. For an attacker, combining a person’s identity with knowledge of what they own and where they keep their money represents the key to executing extortion, theft, and even physical kidnapping.
Financial Data as a Target for Organized Crime
Databases collecting personal financial information — current accounts, bank balances, shareholdings, investments, cryptocurrency data — become valuable targets for those seeking to profit illegally. A striking example is the breach of France’s national bank account registry (FICOBA). Malicious attackers gained access to details of over 1.2 million bank accounts, including names, addresses, and account numbers, drastically increasing the risk of fraud and financial extortion.
In this context, it is easy to see how extortionists can aggregate demographic information, financial data, and KYC records to build highly appealing profiles of potential victims, facilitating targeting by organized criminal groups.
The Phenomenon of Kidnappings Motivated by Financial Gain
The availability of such data has driven crime beyond the digital sphere. In recent years, France has witnessed a concerning rise in so-called ‘crypto-kidnappings’ and violent attacks aimed at extorting cryptocurrencies or money transfers. According to law enforcement reports and journalistic investigations, more than 40 cases of kidnappings related to the possession or perception of digital wealth were reported between 2023 and 2025.
In some episodes, attackers held victims hostage to extort digital fund transfers or threatened physical violence to obtain access to electronic wallets. There has also been a reported attempted kidnapping of a high-ranking executive of a major French cryptocurrency platform, highlighting how individuals publicly associated with digital wealth have become targets of planned attacks.
These episodes demonstrate that exposure of personal and financial data does not remain confined to cyberspace: when sensitive information is aggregated in large centralized databases, not only do the risks of online fraud increase, but so does the likelihood that such information will be exploited to threaten people’s physical safety.
The Amplifying Role of Social Media
Beyond KYC data and compromised financial databases, there exists a source of vulnerability often underestimated: voluntary exposure on social media. Platforms such as Instagram and LinkedIn constitute enormous public archives—often unregulated—of personal, professional, and asset information.
In episodes of extortion-motivated kidnappings in France, investigators confirmed that some victims had been selected because their social media profiles displayed luxurious lifestyles, cryptocurrency investments, visible profits, valuable assets, or photographs suggesting substantial personal wealth. In many cases, criminals integrated publicly available social media information with data obtained from database breaches, creating detailed victim profiles before the attack.
This practice is particularly prevalent among criminal groups organizing targeted robberies or crypto-kidnappings. Potential targets are selected based on indicators such as job positions in fintech, wealth management, or cryptocurrency companies. On LinkedIn, for example, titles such as ‘Head of Crypto Security’, ‘Portfolio Manager’, ‘Founder Exchange’, or simply ‘Crypto Investor’ can attract criminal attention.
Social media further amplify vulnerability because they allow attackers to track habits, travel destinations, daily routines, recognizable addresses from photographs, and even family members and housemates who can become additional extortion leverage. The combination of this public information with more sensitive data derived from KYC processes creates an unprecedented level of exposure.
The Privacy Regulatory Paradox
Laws such as the European GDPR aim to limit the collection and retention of personal data, imposing principles such as data minimization. However, in practice, many companies collect more information than necessary or retain it longer than required, often out of regulatory caution or simple inertia.
The result is paradoxical: tools designed to protect the financial system — and theoretically also users — become themselves a risk to digital freedom and privacy for those who wish to access modern services such as bank accounts, cryptocurrency exchanges, or investment platforms.
User Abandonment, Frustration, and Discrimination
Beyond privacy concerns, KYC creates practical access issues. Lengthy processes, repetitive requests, and bureaucratic complexity lead many users to abandon registration or service use. Studies indicate that over 50% of customers abandon onboarding if identity verification is too slow or complex.
Furthermore, marginalized groups—such as digital workers, nomads, or people without standard documentation—are excluded from essential services, thereby reinforcing preexisting social and digital inequalities.
Alternative Solutions: Decentralized Digital Identity and Proof of Identity
The technical-scientific community and some startups are exploring alternative models that significantly reduce data exposure:
Self-Sovereign Identity (SSI): models where users directly own and control their own identity data, releasing it on request without intermediaries holding it in plain text.
Zero-Knowledge Proofs (ZKP): cryptographic demonstrations that allow verification of attributes (for example ‘I am of legal age’, ‘I am a registered real person’) without revealing the underlying data.
Blockchain-based decentralized protocols: technologies that allow storing identifiers in a distributed manner, making centralized access to sensitive data much more difficult.
These solutions promise a form of privacy-respecting proof of identity, where everyone controls their own data, sharing it only when necessary and without the possibility of mass aggregation by third parties.
Toward a Future More Respectful of Privacy
KYC as currently implemented risks becoming an Achilles’ heel for digital freedom, creating vast archives of vulnerable and permanent personal information. This is not simply a technical problem, but a social and civic challenge: anti-money laundering regulations can conceal powerful levers of surveillance and control that require immediate intervention.
The challenge for the future is not to eliminate identification—since in many contexts it remains necessary—but rather to rethink it in a way that does not involve creating massive ‘repositories’ of centralized human identity. The adoption of verification protocols based on privacy-by-design, decentralized, and cryptographically secure represents a decisive step toward a digital society where privacy is not optional, but a fundamental right.
Some References
arXiv (2021). Self-Sovereign Identity: A Survey. https://arxiv.org/abs/2108.08338
chainit.com (2024). KYC Process Challenges. https://www.chainit.com/insights/kyc-process/
CPO Magazine (2024). Security Breach at the French National Bank Registry Compromises 1.2 Million Bank Accounts. https://www.cpomagazine.com/cyber-security/security-breach-at-the-french-national-bank-registry-compromises-1-2-million-bank-accounts/
crypto.news (2024). France hit by 40 crypto kidnappings as ‘wrench attacks’ surge. https://crypto.news/france-hit-by-40-crypto-kidnappings-as-wrench-attacks-surge/
ENDO (2024). Addressing Security and Privacy Concerns in KYC and Data Verification for Crypto Trading. https://endo.im/addressing-security-and-privacy-concerns-in-kyc-and-data-verification-for-crypto-trading/
Cybernews (2025). “IDMerit data breach: 1 billion records of personal data exposed in KYC data leak.” https://cybernews.com/security/global-data-leak-exposes-billion-records/
Riddle Insights (2024). Ensuring Customer Privacy in KYC: Striking the Right Balance in Data Handling. https://riddleinsights.com/ensuring-customer-privacy-in-kyc-striking-the-right-balance-in-data-handling/
Zyphe (2024). Are KYC Verifications Safe? https://www.zyphe.com/resources/blog/are-kyc-safe