Grafton's avatar
Grafton satsdisco@satsdisco.com 2 weeks ago
ah shit, here we go again 4 days ago a company called IDMerit left their database with 1 billion personal records open on the internet with no password. What is IDMerit? A KYC verification company. One designed and promised to keep your data safe. Welcome to the dawn of AI powered identity verification. Cybernews researchers found a totally unprotected MongoDB database in November last year. With.. get this.. 1 terabyte. 3 billion records with 1 billion containing sensitive personal info across 26 countries. So what sensitive information? Pretty much exactly what you would want to protect. Full legal names, home addresses and postal codes, dates of birth, national identification numbers, phone numbers, email addresses and telecom metadata. The USA had 204 million records exposed. Mexico 120+ million. Philippines 72 million. Germany 61 million. Italy and France 53 million each. So is it any wonder kidnappings are on the rise in France? Hell the French tax office is implicated in exposing private data. This wasn't some sophisticated hack. Not some zero day exploit. It was literally a database being left open on the internet with no password. The companies that are supposed to protect your identity can't even protect their own database. So yeah, what we get here is not another isolated case. This is a pattern. Let's look at what happened in just the last couple years alone. Coinbase May 2025: employees in India bribed to steal KYC data. 69,461 users. Government IDs, social security numbers, bank details, transaction histories. Cost: $180-400 million. Transak 2024: 92,554 users' government IDs and selfies stolen from one phished employee. Signzy 2024: major KYC provider breached, customer data from banks appeared on the dark web. NCX Exchange 2025: 2 million records leaked including KYC documents. Indian Financial Institutions 2025: 500GB of KYC data exposed through a bad storage bucket. UK 2025: a GB of selfies, IDs, passports, and driver's licenses dumped on dark web forums. Just sitting there for the taking. Then like just a few days ago completely separate from the IDMerit leak, at Abu Dhabi Finance Week more than 700 passport scans and government ID cards were found unprotected on a cloud server. These were world leaders, politicians, and major business figures. So yeah, you're talking about billions of records in the last year alone that have been leaked. These are just the ones that have been reported so far. It's really not if your KYC data gets leaked. It's when. Like every company out there that collects your passport is making a bet. Of course they don't WANT your data to get leaked. But they are just betting. Betting an employee won't be bribed. Their database won't get hacked. But the odds are against them. Every. Single. Time. But you know what? You can't change your passport number. You can't change your face. You can't change your date of birth. When a password leaks you can change it, but when your ID leaks you're compromised for the rest of your life. In 2024 finance overtook healthcare as the most hacked industry. 30% of breaches now involve third-party vendors. What did Satoshi say about trusted third parties? Well yeah... here we are. Now owning bitcoin can be dangerous if your data falls into the wrong hands. Last week I shared that KYC catches less than 0.1% of criminal money and costs 100x more than it recovers. I showed you how it can be used as a weapon against protesters, political opponents, and legal businesses. Well look at this. It couldn't be more clear. The data isn't safe and it was never going to be safe. 1 billion records sitting on the internet with no password just again proves that. But this is what I just don't understand. We have the evidence. We have years of it. Breach after breach after breach. For a lot of you it starts with your inbox full of phishing emails. Your passport on the dark web. But for some it starts with being dragged into the back of someone's kidnapper van with your pinkie finger removed. What's even more bonkers is that today as I'm writing this, PayPal has disclosed that for more than six months a code error exposed customers' Social Security numbers, names, addresses, dates of birth. How did they respond? Sorry, here is some free credit monitoring. In 2023 the Swedish police raided Mullvad VPN with a search warrant. They wanted user data. They left with nothing because there was nothing to give. The answer is never better security. It's never stronger passwords. The answer is to never collect data in the first place. So yeah, if you're reading this and you're thinking like well what can we do at this point? Is it too late? No, it's not too late. Stop using services that require a passport to buy bitcoin. It's that simple. Use something like @npub1mftv...rkl3 its totally free, completely open source, lets you buy and sell bitcoin peer to peer with no KYC, no ID, no database, no freaking honeypot. Using Vexl and trading with cash means your transaction history and ID won't end up in the next open database. Download it at vex.it Genuinely if you think this was useful help me scream it. I think people just don't know this is happening. They hand over their data and they don't hear about this before it's too late. Protect yourself. No one else will. Sources: IDMerit breach: https://cybernews.com/security/global-data-leak-exposes-billion-records/ Coinbase breach: https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists Abu Dhabi leak: https://www.reuters.com/world/middle-east/data-leak-abu-dhabi-finance-summit-exposes-global-figures-ft-reports-2026-02-17/ PayPal breach:
BleepingComputer
PayPal discloses data breach that exposed user info for 6 months
PayPal is notifying customers of a data breach after a software error in a loan application exposed their sensitive personal information, including...
 KYC breach tracker:
GitHub
GitHub - etheralpha/kycisbad: A collection of crypto KYC leaks and the risks they create.
A collection of crypto KYC leaks and the risks they create. - etheralpha/kycisbad
 Vexl:
Vexl
Vexl is a mobile app giving its users a simple, accessible and safe way to trade bitcoin as it was intended — peer-to-peer and without KYC.
 image

Replies (22)

HoloKat's avatar
HoloKat holokat@x21.social 2 weeks ago
Me thinks until the lawmakers fall victims to identity theft, nothing will be done about this. Even then, slim chance.
unSATiated's avatar
unSATiated 2 weeks ago
In the government bureaucrat's mind these hacks and leaks mean we're just one more law/regulation away from everything being perfect. Just like before the last one... And after the next one. View quoted note →
1 replies ↓
Grafton's avatar
Grafton satsdisco@satsdisco.com 2 weeks ago
vexl
 Start here. You have to verify your human and that you are the owner. Vexl is made so that you can trade with your friends and friends and friends privately. All of the phone numbers are hashed locally the hashes do leave the device. The hashes are what build out your web of trust. Your social graph. But if you want to keep trading with your passport and bank account on exchanges, that’s fine. Of course, with anything there can always be trade-offs. You can also use any burner number you want, but then you wouldn’t be able to trade with your friends and friends and friends unless you share that number with them as they won’t have the Hash.
2 replies ↓
Lysergic4cid's avatar
Lysergic4cid lysergic4cid@nostrplebs.com 2 weeks ago
okay, sort of fair point, but are really phone numbers are the best to generate a has from i mean yeah i guess thats a unique identifier, since we are here on nostr i guess that is a valid question to create unique identifier hashes without having duplicates, because if im not wrong this is how crypto wallets and nostr identifiers work, why is a phone number the best proof of somebody being an actual human being, like ai agents can have phone numbers as well, and on the other hand if it is just a hash i can generate other peoples hashes on my own device with giving other peoples phone number, or dont you think this is a possible point of failure?
1 replies ↓
rapadu's avatar
rapadu 2 weeks ago
By now with so many regular instances over the years you have to ask whether this is a deliberate attempt to leak all this personal data….💥
Grafton's avatar
Grafton satsdisco@satsdisco.com 2 weeks ago
Because people you trust, not just bitcoiners use phone numbers. So my dog walker she’s not a Bitcoiner, but she is someone that I trust and we have each other’s number she might have a friend who is a bitcoiner that I can trade with. I don’t have to know her friend. I just have to know that my dog walker trusts her. Currently, there is just not a better web of trust in existence. Nostr is a public key. It’s not a private web of trust. What other private web of trust exists? I hope people are building these. But right now, when it comes to the ability for people to easily peer to peer they’re just isn’t a better option and phone numbers that everyone has! We’re not trying to build a new social network we’re trying to take the oldest one we have and enable it now for private trading. The thing about Vexl is that I only have to tell my dog walker about one app when she finally wants to learn how to buy bitcoin Vexl, and she can immediately post an offer privately and trade with the people in my network, but also in the people in hers. Local peer to peer we encourage cash only. Bitcoin starts local, not trading with strangers on the Internet If you’re a plumber or an electrician or let’s say a dog walker or a hairdresser doesn’t matter you can post an ad on Vexl offering your services for Bitcoin and you’re sharing that privately with a network of people that you can trust. Vexl is a tool. If it works for you, use it if it doesn’t that’s fine as well. But I don’t know any other tools that are easier to onboard someone to be able to buy bitcoin p2p how it was intended. With no KYC.
1 replies ↓
Lysergic4cid's avatar
Lysergic4cid lysergic4cid@nostrplebs.com 2 weeks ago
okay not bad explanation, i wont stop anybody from using it, most people have no idea what kyc means anyway lol if these are the intentions that can be a thing, altho the people who want no kyc are not the same group of people you want to reach with this i think, but thats just my opinion and im not even sure about that
1 replies ↓
Grafton's avatar
Grafton satsdisco@satsdisco.com 2 weeks ago
I believe in the freedom trans act because without it you’ve got no other rights. Vexl enables that freedom for many. But the best thing about vexl and why we call it Tinder for Bitcoiners it’s because you don’t need Vexl every time you wanna buy and sell bitcoin you can meet the person who becomes your friend who you can depend on every time you need Bitcoin forever But I understand anyone’s hesitations to using it. In fact, I appreciate you doubting and arguing with me, Weare Bitcoiners. That’s what we live in breathe. Be skeptical be curious. That’s the beauty of open source is if somebody finds a better more graceful way than mission fuckin accomplished
Default avatar
NonMetalCoin 2 weeks ago
I think there has been no confirmed malicious access yet, but the point stands.
Yegor Lapshov's avatar
Yegor Lapshov 3 days ago
IMHO, the biggest problem is that onboarding is monopolized by KYC platforms. They run the biggest acquisition funnels. So millions meet Bitcoin for the first time through passport uploads I’m actually working on a project that helps people carve out independent digital space in authoritarian countries. There’s already an MVP: by the end, a user with zero crypto experience ends up with a non-custodial Bitcoin wallet and some SATS (btw would genuinely value your feedback on it)