KYC doesn’t just put your data at risk; it puts people at risk.

Hackers recently demanded $20 million in Bitcoin from Coinbase, threatening to leak sensitive customer data.

While no passwords or private keys were accessed, the attackers obtained full names, addresses, contact details, partial Social Security and bank account numbers, and identity documents. This is the kind of data that can be weaponised for identity theft, fraud, or worse.

This is exactly the kind of risk I raised on the compliance panel at the Financial Times Digital Assets Summit last week. While KYC and compliance frameworks are presented as security features, they often do the opposite. They create massive, centralised honeypots of personal data that can and do get breached, sold, or exploited.

We’ve seen what can happen when that data gets into the wrong hands. Earlier this year, David Balland, the co-founder of Ledger, was kidnapped along with his wife. His captors cut off one of his fingers and sent it to a business associate to demand crypto ransom. He was rescued by French special forces, but the message was clear: real-world consequences are now linked to digital identity exposure.

We need better solutions that don’t force users to sacrifice privacy and safety for access.

Compliance shouldn’t come at the cost of security.