For privacy-minded crypto users, there may be no three letters more dreaded than “KYC.”
The acronym, shorthand for “know your customer,” refers to the process of providing personally identifiable information, such as your name and address, to certain service providers, namely cryptocurrency exchanges. In many jurisdictions, including the U.S., it’s required by law. And while it may be important, perhaps even crucial, in guarding against illegal activity, KYC comes with risks—both for the companies that collect the data and the individuals who provide it.
Earlier this week, Solana co-founder Raj Gokal and his wife were both doxxed by malicious actors demanding he pay 40 BTC (worth $4.3 million). Gokal says that the photos of his documentation came from a know-your-customer process, but didn’t provide details.
Getting doxxed refers to having personal information published online, and in the worst of cases this can include home addresses or bank details. In the world of crypto, with a high number of anonymous and pseudonymous users, the doxxing bar can be as low as just someone’s real name or face. In Gokal’s case, it was photos of his government-issued ID, which included his home address.
This comes two weeks after the biggest centralized crypto exchange in the U.S., Coinbase, revealed it suffered a data breach, resulting in sensitive customer information falling into the hands of hackers. TechCrunch and Arrington Capital founder Michael Arrington predicted this would “lead to people dying,” as a wave of kidnapping attempts sweeps the industry.
Many have speculated that Gokal’s doxxing came as a result of the Coinbase breach, although it hasn’t been confirmed. The incident, nevertheless, has made crypto users wary of being forced to identify themselves to exchanges.
always remember to dress up smart for your KYC photos.
you never know what kind of reach they might get on social media
— raj 🖤 (@rajgokal) May 27, 2025
After all, KYC processes can often involve requiring users to provide photos of their passport, proof of address, and a photo of themselves holding an ID. And with crypto kidnappings on the rise—following a number of high-profile cases in France, the U.S., and elsewhere—users are fearful that hackers could steal their KYC information and lead attackers to their front doors.
“When a platform collects too much KYC , it becomes a target,” Nick Vaiman, co-founder and CEO of Bubblemaps, told Decrypt. “Once attackers get access to that data, they can launch highly targeted phishing attacks, or worse, use your personal info to find you in real life and rob you directly,” he said. “KYC data creates risk. The more data you hold, the bigger the target you become.”
But a future without KYC simply isn’t realistic, said Bubblemaps co-founder and COO Arnaud Droz. As such, it’s like to continue as perhaps a “necessary evil” to prevent on-chain criminal activity.
“KYC is a crucial tool not just for regulatory compliance, but for crime prevention,” Slava Demchuk, CEO of compliance firm AMLBot, told Decrypt. “While sophisticated criminals may still find ways around it, KYC introduces friction that makes their operations harder—and when paired with other [anti-money laundering] measures like transaction monitoring and screening, it becomes a powerful defense.”
Due to this important function, KYC is required by law in most jurisdictions. That includes the U.S., which requires it under the USA Patriot Act of 2001.
Despite its virtues, there has been an increase of industry leaders vocally pushing back against KYC requirements following the Coinbase hack. Erik Voorhees, founder of cryptocurrency exchange ShapeShift, called state-enforced KYC a crime on social media. Coinbase CEO Brian Armstrong agreed with him.
“The core issue is that if you’re a scammer, it’s not hard to bypass the system,” Vaiman added. “You can simply buy fake KYC or use someone else’s. And with the rise of AI, generating fake identities is becoming even easier, making the entire system weak. KYC doesn’t stop bad actors and creates friction for honest users,” he said.
But if the system, though necessary, is flawed, then what can be done about it?
“We’re seeing innovative solutions like zero-knowledge privacy and theoretical zero-knowledge-KYC implementations,” Jeff Feng, co-founder of layer-1 blockchain developer Sei Labs, told Decrypt. “But we have to be realistic—financial systems need safeguards against illicit activity.”
Zero-knowledge proofs, often called ZK-proofs, are a type of cryptography that allows a user to prove something, such as proving they don’t live within a sanctioned country, without revealing the information directly to the receiver.
Demchuk of AMLBot believes ZK-KYC is a great privacy-preserving feature but would be very hard to implement, since it would require significant regulatory changes in the E.U., for instance. That’s because GDPR regulations require data controllers, an exchange in this case, to store data related to the KYC process for five years. ZK-KYC would prevent the exchange from ever touching the data, let alone storing it for five years.
Regardless of how the industry evolves on KYC, some users believe that the issue is emblematic of a more existential problem.
“The ability to transact anonymously is bedrock to cryptocurrency as a revolutionary technology resisting the invasive state,” Charlotte Fang, the pseudonymous founder of Remilia Corporation, told Decrypt. “Crypto as an industry has strayed from the basic premises of the cypherpunk movement, not just in KYCs by exchanges in their pursuit for adoption, but as a culture.”
Privacy advocates believe in complete anonymity when transacting on blockchain networks, while regulators continue to fight against this. Then again, with the U.S. Treasury lifting sanctions on the privacy-preserving Ethereum coin mixer Tornado Cash earlier this year, it’s possible that the tides—at least in D.C.—could be turning.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
