Opinion: KYC is no upgrade, but a security hole

In March 2024, the European Parliament’s lead committees approved a ban on anonymous transfers of digital assets. The new laws will take effect in three years if adopted by the EU Council and the Parliament.

The team at 50x.com argues that blanket user identification will undermine the safety of personal data. Together with the exchange’s developers, we examine why KYC does not guarantee the security of services, and where to trade cryptocurrencies without verification.

What problems KYC creates

In May 2023, hardware-wallet maker Ledger unveiled a service to recover private keys via a KYC procedure. Using Ledger Recover, the device splits a seed phrase into three encrypted fragments and sends them to external custodians. 

Ledger chief Pascal Gauthier said there was demand for such a service from novice investors:

“The main problem with implementing self-custody of cryptocurrencies is precisely the ability to recover the seed phrase. Most users today either do not own their private keys or put them at risk by using less secure and more complex methods of non-custodial storage and protection of the seed phrase.”

The community’s response to Ledger Recover was mixed. For instance, 1inch co-founder Anton Bukov pointed to a breach of the hardware wallet’s security model, which “should not have an API for revealing the seed phrase”.

Ledger co-founder and former CEO Eric Larchevêque acknowledged that the government could summon the custodians of encrypted seed fragments to court and gain access to bitcoin.

“This is precisely the vulnerability of services with verification: if you show your passport to restore access to your account, attackers can do the same.

KYC and crypto are a toxic mix. They are poorly compatible with each other, both in spirit and purely technically. In TradFi, with documents people prove their connection to assets, for example for inheritance of funds or to challenge an illegal transaction. 

In the blockchain nothing can be rolled back. If a hacker breaks into your account, the withdrawal transaction will remain on the network forever. In practice, KYC gives more room for theft rather than the return of assets,” — note representatives of 50x.com.

They say a heavy reliance on third parties is why many view verification negatively:

“People with a lot of crypto experience don’t like KYC. Not because they want to evade taxes or launder money. They know that by handing data to an exchange, users lose control over it. How do services store personal information? You cannot know for sure.

Ledger is a telling example. In 2020, the email addresses, names and phone numbers of a million people leaked into the public domain. After that, clients began receiving messages with threats of physical violence. Scammers are still sending them phishing emails.”

Crypto exchanges claim that KYC improves the security of client assets: in the event of suspicious activity, platforms will have more ways to identify the account owner.

In practice, however, staff often check documents inadequately, and users find ways to bypass KYC. 

For example, last year on-chain sleuth ZachXBT completed verification on Gate.io under the name Kim Jong-Un and with the email notlazarus.

When stolen funds go to a crypto exchange people like to assume that there is a real person with a real identity tied to an account

To disprove this I was able to create an account on @gate_io and KYC as “Kim Jong-Un” with the email “notlazarus” and within minutes I was verified pic.twitter.com/oCZLK4hBh9

— ZachXBT (@zachxbt) May 9, 2023

In February, 404 Media journalists passed KYC on OKX using a passport generated by AI algorithms via the OnlyFake service. Other enthusiasts managed to fool staff at Binance, Kraken, Bybit, HTX, Coinbase, Bitget, Revolut and PayPal.

Despite the vulnerability of verification procedures, the crypto industry is trending toward their universal adoption.

“Almost all major CEX restrict trading without KYC. KuCoin held out the longest, but in the middle of last year it too introduced mandatory identity checks.

We see clear signs that regulators want to go further — to gain power not only over exchange accounts, but also over users’ cryptocurrency wallets.

Imagine how deep some G-man will stick his hand into citizens’ pockets with the inevitable disappearance of cash and the absence of alternatives in the form of KYC-free crypto services,” — note 50x.com.

Where to trade cryptocurrencies without KYC

50x.com is one of the few centralized cryptocurrency exchanges without verification procedures. The platform runs on Any2Any technology, which allows digital currencies to be exchanged without base assets such as Tether or bitcoin.

To register on the exchange, you need to provide an email and enable two-factor authentication (2FA). You can later add a separate code for withdrawals.

“You will not lose assets, even if you enter your password and 2FA on a phishing site. Different codes are required to log in to the exchange and to withdraw tokens,” — says the 50x.com website.

A prerequisite for starting trading is creating a master key for a one-time account recovery. When it is activated, 50x.com initiates the automatic withdrawal of cryptocurrencies to predefined addresses (Emergency Withdrawal Addresses, EWA).

“The master key will allow you to withdraw funds and close the account if you lose your password and/or 2FA. It does not pose additional risks for users: if an attacker steals the master key, it will trigger the withdrawal of tokens to your addresses,” — note 50x.com.

Conclusions

By 2024, all major exchanges had introduced mandatory verification. It should not be viewed as a “necessary evil”, however. KYC checks do not ensure the safety of client funds and are vulnerable to attacks that use artificial intelligence.

User identification has become standard practice in TradFi. The team at 50x.com believes that by its very nature it runs counter to the spirit of cryptocurrencies, restricts financial freedoms and exposes users’ personal data to unjustified risks.