KYC Breach Timeline 0 records exposed 0 breaches
A Visual Investigation
Know Your Customer
Kill Your Customer

They call it KYC. Here's what it actually does to the people who comply.

0
Records Exposed

Whatever happened to innocent until proven guilty?

Before you can open a bank account, buy bitcoin, or use most financial services, you must surrender your most sensitive personal data to prove you're not a criminal.

Your passport. Your selfie. Your home address. Your bank statements. All stored in databases you'll never see.

They promised your data would be safe.

What they take from you

Each step of "verification" hands over more of your identity. Each piece becomes a weapon if it leaks.

Step 01 Identity theft

Your name and birthday

Full legal name, date of birth, nationality, tax ID.

With your name + DOB + SSN, someone can open credit cards, take out loans, and file tax returns in your name.
Step 02 Document fraud

Your government ID

Passport or driver's license — front and back.

A leaked passport scan is a forger's dream. Your document number, photo, and signature in the wrong hands.
Step 03 Biometric risk

A selfie holding your ID

Your face linked to your identity forever. You can't change your face like a password.

Step 04 Physical danger

Proof you live there

Now they know where you sleep. When Ledger leaked 272,000 addresses, home invasions followed.

Step 05 Full exposure

How you make money

Your income, employer, spending habits — an attacker knows exactly what you're worth.

After five steps, a company you just met has your name, face, passport number, home address, income, and biometric data.

Now multiply that by every service that requires KYC.

Where your data actually goes

You trusted one company. Your passport now sits in five different databases.

You

Submit passport, selfie, address

The Exchange

Coinbase, Binance, Kraken…

KYC Verification Provider

Jumio, Onfido, Sumsub — companies you've never heard of

Cloud Storage

AWS, Google Cloud — your ID on a server somewhere

Subcontractors

Outsourced teams in unknown jurisdictions

And then they lost it all

Billions of records. Passports, SSNs, home addresses, biometric data — all gone. These are just the ones we know about.

Hack / Cyberattack
Human Error
Data Left Exposed
Insider / Bribery
Legal / Bankruptcy
2013
3B exposed
Yahoo
3Brecords
Aug 2013 (disclosed 2016) State-sponsored hack
Every single Yahoo account — all 3 billion. Names, emails, DOBs, phone numbers, hashed passwords, security questions. Yahoo hid the breach for three years. The largest data breach in history.
Full NameDOBPhoneSecurity Questions
2014
83M exposed
JP Morgan Chase
83Mrecords
Oct 2014 Cyberattack
Russian hackers exploited a server missing two-factor auth. Names, addresses, phone numbers of 76M households and 7M businesses.
Full NameAddressPhoneEmail
2017
147M exposed
Equifax
147Mrecords
Sep 2017 Unpatched vulnerability
A known Apache Struts vulnerability went unpatched for months. SSNs, birth dates, addresses, driver's licenses. Half of America exposed because someone didn't run an update.
SSNDOBAddressDriver's LicenseCredit Card
2018
1.6B exposed
Aadhaar (India)
1.1Brecords
Jan 2018 Insider access sold
Access to the entire database — fingerprints, iris scans, photos for nearly every Indian citizen — was being sold by insiders for $8 via WhatsApp.
BiometricsFingerprintsIris ScanPhoto
Marriott / Starwood
500Mrecords
Nov 2018 State-sponsored hack
Chinese intelligence had been inside since 2014 — four years undetected. Passport numbers, credit cards, travel itineraries.
PassportCredit CardTravel Data
2019
1.4B exposed
First American Financial
885Mrecords
May 2019 Data left exposed
No hacking required. 885M documents — bank accounts, SSNs, tax records — publicly accessible by changing a digit in the URL.
SSNBank AccountTax Records
Facebook
533Mrecords
Apr 2019 (dumped 2021) API scraping
A vulnerability in the contact import feature let attackers scrape phone numbers for 533M users across 106 countries. Posted for free on a hacking forum.
PhoneFull NameLocationDOB
2020
5.2M exposed
Ledger ⚠️
5.2Mrecords
Jul 2020 API exploit
A misconfigured API exposed physical home addresses of crypto hardware owners. 272K had full name + address + phone. This list became a hunting guide. Co-founder kidnapped in 2025, finger severed.
Home AddressPhonePurchase History
2021
77M exposed
T-Mobile
77Mrecords
Aug 2021 Server breach
A 21-year-old found an unprotected router and pivoted into T-Mobile's network. SSNs, driver's licenses, DOBs for 77M customers. Their fifth breach in four years.
SSNDriver's LicenseDOBIMEI
2022
6.4M exposed
Celsius Network
600Krecords
Oct 2022 Bankruptcy filing
Court documents exposed complete KYC data, transaction histories, and account balances. The legal process designed to protect creditors published their most private data instead.
KYC DocsTransactionsBalances
Revolut
50Krecords
Sep 2022 Social engineering
50K customer records accessed. Then in 2026, an ex-employee used internal tools to look up a crypto trader's details and extort him — threatening to leak KYC data unless a crypto ransom was paid.
Full NameAddressInsider threat
Gemini
5.7Mrecords
Dec 2022 Third-party breach
A vendor breach exposed 5.7M customer emails and partial phone numbers. Targeted phishing campaigns followed immediately.
EmailPartial Phone
2023
6.9M exposed
23andMe
6.9Mrecords
Oct 2023 Credential stuffing
Reused passwords + the "DNA Relatives" feature let attackers scrape millions of genetic profiles. You can change a password. You can't change your genome.
Genetic DataDNAFamily Links
2024
3B exposed
National Public Data
2.9Brecords
Aug 2024 Data broker hacked
A background-check company most people had never heard of held SSNs, names, addresses for nearly every American, Canadian, and British citizen. Filed for bankruptcy.
SSNFull NameAddressDOB
Change Healthcare
100Mrecords
Feb 2024 Ransomware
ALPHV/BlackCat ransomware. Medical records, SSNs. One third of Americans. Paid $22M ransom. Data leaked anyway.
MedicalSSNInsurance
2025
30M+ exposed
Coinbase KYC Partner
30M+records
2025 Insider bribery
Overseas support contractors bribed to extract customer data. Government IDs, selfies, passports, addresses. The full KYC package on Telegram. Forever.
Government IDSelfiePassportAddress

When data leaks turn physical

305 documented attacks since 2014. Home invasions, kidnappings, torture, murder.

Source: GART Research & Jameson Lopp

2017
12
2018
38
2019
12
2020
18
2021
32
2022
45
2023
42
2024
56
2025
40

Notable cases

Jan 2025 · France
Ledger co-founder kidnapped — finger severed, wife held hostage. Directly linked to the 2020 database leak.
Kidnapping
Jun 2024 · Montreal
Influencer beaten to death in a torture room. Targeted for known holdings.
Murder
Jun 2024 · London
Machete home invasion — forced to transfer 1,000+ ETH at knifepoint.
Home invasion
Feb 2019 · Netherlands
Tortured with a drill in front of his daughter. Attackers demanded transfer.
Torture

The smoking gun

The Ledger breach is the clearest proof that KYC data creates physical danger.

Addresses Leaked
272,000
Data Included
Name, home address, phone, email, proof of ownership
The Ledger breach didn't just expose data. It created a target list with home addresses of people proven to own cryptocurrency hardware. It was a hunting guide.
Phishing campaigns within weeks
Physical threat letters to home addresses
SIM swap attacks using exposed numbers
Home invasion attempts by multiple customers
Wave of attacks in France linked to the leak
Ledger co-founder kidnapped — January 2025

By the numbers

7.4B+
Records exposed
305+
Physical attacks
40+
Countries affected
$0
Compensation for most
Time SSN stays compromised
$8
1.1B biometrics on WhatsApp

KYC doesn't protect you.
It exposes you.
It endangers you.

Every piece of identity you hand over becomes a liability stored in a database you don't control, protected by a company that will eventually get breached.

The question isn't if your data will leak. It's how many times it already has.

0
Records exposed from this page alone

Data sourced from public breach disclosures, GART Research, Jameson Lopp, and verified security research.