Kill Your Customer

Whatever happened to innocent until proven guilty?

KYC — "Know Your Customer" — flips that on its head. Before you can open a bank account, buy bitcoin, or use most financial services, you must hand over your most sensitive personal data to prove you're not a criminal.

Your passport. Your selfie. Your home address. Your bank statements. All stored in databases you'll never see, managed by companies you have no reason to trust.

They promised your data would be safe.

What they take from you

Each step of "verification" hands over more of your identity. Each piece of data becomes a weapon if it leaks.

📋

Step 1

Your name and birthday

Full legal name, date of birth, nationality, tax ID.

With your name + DOB + SSN, someone can open credit cards, take out loans, and file tax returns in your name. Recovery takes years.

Identity theft

🪪

Step 2

Your government ID

Passport or driver's license — front and back.

A leaked passport scan is a forger's dream. Your document number, photo, and signature can be used to create convincing fakes.

Document fraud

📸

Step 3

A selfie holding your ID

Live photo of your face next to your passport.

Your face is now linked to your identity and your financial accounts. Deepfakes can be generated. You can't change your face like a password.

Biometric risk

🏠

Step 4

Proof you live there

Utility bill, bank statement, or lease showing your home address.

Now they know where you sleep. When Ledger leaked 272,000 home addresses of crypto owners, armed robberies and home invasions followed.

Physical danger

💰

Step 5

How you make money

Pay stubs, bank statements, source of funds documentation.

Your income, employer, and spending habits — a complete financial profile. Combined with everything else, an attacker knows exactly what you're worth.

Full exposure

After five steps, a company you just met has your name, face, passport number, home address, income, and biometric data.

Now multiply that by every service that requires KYC.

Where your data actually goes

You think you're giving your data to one company. In reality, it passes through a chain of organizations — each one a potential breach point.

You

Submit your passport, selfie, address

The Exchange

Coinbase, Binance, Kraken…

KYC Verification Provider

Jumio, Onfido, Sumsub — companies you've never heard of

Cloud Storage

AWS, Google Cloud — your ID on a server somewhere

Subcontractors

Outsourced teams with database access in unknown jurisdictions

You trusted one company. Your passport photo now sits in five different databases, managed by organizations you've never heard of. Any single breach in this chain exposes everything.

And then they lost it all

A timeline of the largest data breaches. Billions of records. Passports, SSNs, home addresses, biometric data — all gone. These are just the ones we know about.

2014

JP Morgan Chase

Oct 2014

83M records

Names, addresses, phone numbers, email addresses of 76M households and 7M businesses. One of the largest bank breaches ever.

Full Name Address Phone Email

2017

Equifax

Sep 2017

147M records

SSNs, birth dates, addresses, driver's license numbers, and 209,000 credit card numbers. Half of America exposed. The company tasked with protecting credit data couldn't protect its own.

SSN DOB Address Driver's License Credit Card

2018

Aadhaar (India)

Jan 2018

1.1B records

The world's largest government ID database. Names, addresses, photos, phone numbers, and biometric data — fingerprints and iris scans — for nearly every Indian citizen. Sold for $8 on WhatsApp.

Biometrics Fingerprints Iris Scan Photo Address

Marriott / Starwood

Nov 2018

500M records

Passport numbers, credit card details, travel itineraries. Attackers had access since 2014 — four years undetected.

Passport Credit Card Email

2019

First American Financial

May 2019

885M records

Bank accounts, SSNs, wire transfers, mortgages, tax records, driver's licenses. All publicly accessible via a simple URL change.

SSN Bank Account Tax Records Driver's License

2020

Ledger ⚠️

Jul 2020

5.2M records

Physical home addresses of hardware wallet buyers. Led to home invasion threats, phishing, SIM swaps targeting Bitcoin holders. 272K had full address + phone exposed. Co-founder kidnapped in 2025.

Home Address Phone Email Purchase History

2022

Celsius Network

Oct 2022

600K records

Full KYC data leaked during bankruptcy: names, transaction histories, account balances. Court filings made private financial data public.

Full Name Transactions Balances KYC Docs

2023

23andMe

Oct 2023

6.9M records

Genetic ancestry data, birth years, family connections. Your DNA — the most permanent data possible — leaked. You can change a password. You can't change your genome.

Genetic Data DNA Ancestry Family Links

2024

National Public Data

Aug 2024

2.9B records

SSNs, names, addresses, DOBs, phone numbers for nearly every American, Canadian, and British citizen. A data broker most people had never heard of. The company filed for bankruptcy.

SSN Full Name Address DOB

Change Healthcare

Feb 2024

100M records

Medical records, insurance, SSNs. One third of Americans. The company paid a $22M ransom. The data leaked anyway.

Medical Records SSN Insurance

2025

Coinbase KYC Partner

2025

30M+ records

Government IDs, selfies, addresses exposed through a third-party KYC verification provider. Your passport photo is now on a Telegram channel. Forever.

Government ID Selfie Passport Address

When data leaks turn physical

305 documented physical attacks against cryptocurrency holders since 2014. Home invasions, kidnappings, torture, murder. The data collected by KYC makes people targets.

Source: GART Research & Jameson Lopp

2017

12

2018

38

2019

12

2020

18

2021

32

2022

45

2023

42

2024

56

2025

40

Notable cases

Jan 2025 · France

Ledger co-founder kidnapped — finger severed, wife held hostage. Ransom demanded in crypto. Rescued after 2 days. Directly linked to the 2020 Ledger customer database leak.

Kidnapping

Jun 2024 · Montreal, Canada

Cryptocurrency influencer beaten to death in a torture room. Targeted for his known crypto holdings.

Murder

Jun 2024 · London, UK

3 men armed with machetes invaded a home, forced the owner to transfer 1,000+ ETH at knifepoint.

Home invasion

Feb 2019 · Netherlands

Bitcoin trader tortured with a drill in front of his daughter. Attackers demanded crypto transfer.

Torture

The smoking gun

The Ledger breach is the clearest proof that KYC data collection creates physical danger.

ADDRESSES LEAKED

272,000

DATA INCLUDED

Name, home address, phone, email, proof of crypto ownership

The Ledger breach didn't just expose data. It created a target list with home addresses of people proven to own cryptocurrency hardware. It was a hunting guide.

What followed

→ Phishing campaigns targeting Ledger customers within weeks
→ Physical threat letters sent to home addresses
→ SIM swap attacks using exposed phone numbers
→ Home invasion attempts reported by multiple customers
→ Wave of attacks in France linked to leaked database
→ Ledger co-founder kidnapped — January 2025

By the numbers

This is not an exhaustive list. These are just the ones we know about.

7.4B+

Records exposed

305+

Physical attacks documented

40+

Countries affected

$0

Compensation most victims received

∞

Time your SSN stays compromised

$8

Cost of 1.1B biometric records on WhatsApp

Whatever happened to innocent until proven guilty?

What they take from you

Your name and birthday

Your government ID

A selfie holding your ID

Proof you live there

How you make money

Where your data actually goes

You

The Exchange

KYC Verification Provider

Cloud Storage

Subcontractors

And then they lost it all

When data leaks turn physical

Notable cases

The smoking gun

What followed

By the numbers

KYC doesn't protect you.It exposes you.It endangers you.

KYC doesn't protect you.
It exposes you.
It endangers you.