Sentinel AlphaSENTINEL ALPHA
← Back to blog
BlockchainPrivacySecurityIdentity

KYC Is Broken — How Zero-Knowledge Proofs Fix Digital Identity

·10 min read

Your Data Is Already Out There

Right now, your full name, date of birth, home address, bank account number, and possibly even your passport number are sitting in a database somewhere. Probably multiple databases. And the only thing standing between that data and a criminal is a company's cybersecurity budget.

A hacker group called ShinyHunters has proven — over and over again — just how thin that protection really is.

The ShinyHunters Track Record

ShinyHunters have been active since 2020, and their resume reads like a horror show for anyone who cares about privacy.

  • Wattpad (2020): 270 million records stolen
  • Animal Jam (2020): 46 million accounts compromised
  • AT&T Wireless (2021): 110+ million customers, including Social Security numbers. AT&T paid $370,000 ransom and didn't acknowledge the breach until 2024
  • Ticketmaster (2024): 560 million users, including partial credit card data — breached via Snowflake, a cloud provider used by ~165 companies
  • Santander Bank (2024): 30 million customers across Spain, Chile, and Uruguay. Data put up for sale for $2 million
  • Odido (2026): 6.5 million Dutch customers. Names, addresses, dates of birth, bank account numbers, and millions of passport and ID card numbers

In the Odido case, the hackers used social engineering — posing as IT staff and tricking employees into approving 2FA requests. Simple but devastatingly effective. When Odido refused to pay the ransom, ShinyHunters dumped everything online. Day by day. First 680,000 records. Then another million. Then another. Dutch police had to set up a special website — checkjehack.politie.nl — just so citizens could check if their data was compromised.

The pattern is always the same: a company collects massive amounts of personal data, stores it in a centralized database, and that database gets hacked. One database. Millions of records. One point of failure.

Why KYC Is the Real Problem

So why do companies store all this data? Three letters: KYC — Know Your Customer.

KYC is a set of regulations requiring financial institutions, telecoms, crypto exchanges, and increasingly any company that handles money to verify customer identities. When you open a bank account, sign up for a phone plan, or register on a crypto exchange — they need your ID, proof of address, sometimes your tax information.

The idea makes sense in theory: prevent money laundering, stop terrorism financing, catch fraud. But here's the fundamental flaw: KYC doesn't just verify your identity. It forces companies to copy and store your identity.

Every company you do business with gets a full copy of your most sensitive personal data. And then they keep it. For years. Sometimes forever.

Think about how many companies have your passport number right now. Your bank. Your telecom. Your health insurer. Your crypto exchange. Your employer. Every hotel you've ever checked into. Each one has a copy. Each one is a potential breach.

The KYC Paradox

Here's where it gets really dark. KYC was designed to prevent fraud and protect the financial system. But the data collected through KYC is now the primary fuel for identity fraud. The system meant to protect you is actually putting you at risk.

In November 2025, cybersecurity researchers at Cybernews discovered an unprotected database linked to IDMerit — an AI-powered KYC verification provider — containing approximately one billion personal records across 26 countries. A KYC provider leaked the data it was supposed to protect. Let that sink in.

And what happens with stolen data? Criminals use it to create synthetic identities. They take your real name, combine it with a different address, add a fake email, and create an entirely new person — built on your identity. These synthetic identities are used to open bank accounts, apply for credit cards, get loans. They build up credit for months, then max everything out and disappear.

According to TransUnion, US lenders faced $3.3 billion in exposure to suspected synthetic identities in the first half of 2025 alone. The original victim often doesn't know until debt collectors come knocking.

KYC doesn't prevent fraud. It enables it.

The Solution: Zero-Knowledge Proofs

So the system is broken. But you can't just get rid of identity verification — companies still need to know they're dealing with a real person. The key insight is this: there's a massive difference between verifying something and storing something.

That's exactly where zero-knowledge proofs come in.

A Simple Example

You want to get into a nightclub. The bouncer needs to verify you're over 21. Today, you hand over your driver's license. The bouncer sees your full name, date of birth, address, license number, photo. Way more information than necessary.

Now imagine this: you hold up your phone, an app generates a cryptographic proof that says "this person is over 21" — and the bouncer can mathematically verify that this is true — without ever seeing your name, your birthday, or anything else.

He knows you're over 21. He can be 100% certain. But he has zero knowledge of any other personal information.

That's a zero-knowledge proof. You prove a statement is true without revealing the underlying data.

How This Changes Everything

Opening a phone plan. Instead of Odido copying your passport, you prove via a ZK-proof that you have a valid government-issued ID and that you're over 18. Odido gets the verification they need. But they never receive — and therefore never store — your passport number. If ShinyHunters hacks them tomorrow? There are no passport numbers to steal. Because they were never there.

Applying for a bank account. The bank needs to verify your identity for KYC compliance. With ZK-proofs, you can prove: "I am a citizen of an EU country," "I am not on any sanctions list," and "My tax identification number is registered and valid" — all without the bank ever seeing your passport, your address, or your tax number.

Crypto exchange verification. Instead of uploading selfies and passport photos to yet another database, you prove you meet regulatory requirements through ZK-proofs. The exchange is compliant. Your identity stays yours.

In every case, the critical shift is the same: verification without storage. Prove, don't copy.

Self-Sovereign Identity: The Bigger Picture

Zero-knowledge proofs are the engine. But the vehicle is something called Self-Sovereign Identity (SSI) — and it's what blockchain technology enables for digital identity.

The core idea: you own and control your digital identity. Not your bank. Not your government. Not Facebook. You. Your identity lives in a digital wallet on your phone, secured by cryptography and anchored to a blockchain.

It works through three roles:

  1. Issuer — A trusted authority (your government, university, employer) that issues verifiable credentials. Think of it as a digital version of your passport or diploma.
  2. Holder — That's you. You store credentials in your digital wallet. You decide who sees what, when, and how much.
  3. Verifier — Any company or service that needs to check something about you. But instead of getting a copy of your passport, they get a ZK-proof that confirms only what they need to know.

The blockchain serves as the decentralized trust layer. It stores public keys and credential schemas — never the personal data itself — so anyone can verify that a credential is legitimate without trusting a single central authority.

This Is Already Being Built

This isn't a whitepaper fantasy. It's being built right now:

Concordium — A Layer-1 blockchain from Denmark with zero-knowledge proofs built directly into the protocol. They've already deployed a working app in the UK for age verification without showing your ID.

Polygon ID — Built on Ethereum's ecosystem, using ZK-proofs for privacy-preserving identity verification. Already integrated with several DeFi protocols.

EU Digital Identity Wallet — The European Union is building a digital identity framework based on SSI principles, planned for rollout in 2026-2027. Every EU citizen will be able to store and share verified credentials from their phone.

EBSI — The European Blockchain Services Infrastructure is enabling cross-border digital identity verification across EU member states.

And in British Columbia, Canada, the provincial government is already running a production system for decentralized organizational identity.

The Business Case

Storing personal data isn't just risky for consumers — it's a massive burden for businesses too.

Under GDPR, every company that stores personal data must protect it: security audits, Data Protection Impact Assessments, encryption infrastructure, privacy officers, penetration testing. Over half of European SMEs spend between €1,000 and €50,000 per year on GDPR compliance alone. For data-intensive industries, compliance adds up to 24% in additional costs.

And if a breach happens? Fines of up to €20 million or 4% of global revenue, plus lawsuits, plus reputation damage.

What if companies simply didn't need to store personal data at all? With ZK-proofs and tokenized identifiers, every customer gets a unique cryptographic hash — an anonymous digital fingerprint. Businesses can query commercial data through that hash (purchase behavior, usage patterns, churn risk) without ever touching personal information.

No personal data stored means dramatically reduced compliance costs. No risk of billion-dollar fines for data that was never in your database. The savings flow through to lower prices for consumers.

The Roadblocks

If this is so great, why isn't it everywhere already? There are real challenges:

Legacy systems. Every bank, telecom, and exchange has built their infrastructure around copying and storing identity data. Migrating requires rebuilding.

Regulation hasn't caught up. Current KYC laws literally require companies to store identity documents. The regulations need to evolve to recognize cryptographic verification as legally equivalent.

User experience. Managing your own cryptographic identity is still too complex for the average consumer. The UX needs to be as simple as unlocking your phone with Face ID.

The chicken-and-egg problem. Companies won't implement ZK-verification until users have digital identity wallets. Users won't adopt wallets until companies accept them.

But the EU Digital Identity Wallet is the forcing function. When 450 million Europeans get a government-backed digital identity wallet, the chicken-and-egg problem dissolves overnight. And every massive data breach like Odido accelerates the political will for change.

What You Can Do Now

If you've been affected by a breach: Check haveibeenpwned.com to see where your data has been exposed. Consider renewing your ID documents so old numbers become invalid. Be hyper-vigilant about phishing — when criminals have your real data, their attempts become frighteningly convincing.

If you're in the crypto space: Digital identity is one of the most important use cases for blockchain technology. This isn't about speculation or token prices. This is about infrastructure that fundamentally changes how trust works on the internet.

If you're a builder or developer: The intersection of ZK-proofs, blockchain, and identity verification is where real-world adoption happens. This is one of the most impactful areas you can work in.

At Sentinel Alpha, this is exactly the kind of technology we believe in. Not hype. Not moon shots. Real technology solving real problems.

Want to stay updated? Subscribe to our newsletter or follow us on YouTube.

Sources

  • Cybernews: "IDMerit data breach: 1 billion records exposed" (2025)
  • TransUnion: $3.3 billion synthetic identity exposure (H1 2025)
  • Concordium: Zero-Knowledge Based Identity Infrastructure
  • Polygon ID: Triangle of Trust — privacy-preserving identity
  • EU Digital Identity Wallet: planned rollout 2026-2027
  • EBSI: European Blockchain Services Infrastructure
  • ShinyHunters breach history via Wikipedia, The Register, NL Times
  • Global regulators: ~$1.23 billion in financial penalties (H1 2025)

Comments

Leave a comment

0/2000

Loading comments...