Coinbase Pushes for ZK-enabled AML Overhaul Just Months After Data Breach

Just months after suffering a major data breach, Coinbase is now pointing to cryptographic privacy tools as a potential fix for what it calls “arcane” financial crime laws.

In an Aug. 4 blog post, Coinbase’s chief legal officer, Paul Grewal, argued that the U.S. Bank Secrecy Act, which governs financial reporting and know-your-customer (KYC) rules, is outdated.

He urged lawmakers to modernize the framework by allowing the use of zero-knowledge proofs (ZKPs), a cryptographic tool that can prove facts about users, such as age or residency, without exposing their full personal data.

Grewal says the current version of the Bank Secrecy Act is “still rooted in decades-old requirements that reflect paper-based compliance protocols and a financial system in which funds moved over days, not seconds.”

“Beyond the annoyance customers feel every time they repeat the KYC process, these personal files are honeypots for criminals. Companies are required by law to hold your data for years and to send that data to bureaucrats,” Grewal explained.

In contrast, ZKPs could allow users to verify identity credentials while reducing the risks associated with storing sensitive data. Law enforcement would still retain the ability to subpoena full records if necessary, he said.

Data Breach

Grewal’s post comes less than three months after Coinbase revealed that nearly 70,000 customers were affected by a data breach linked to third-party contractors.

The breach, which began in December 2024 and was discovered only in January, involved unauthorized access to ID images, partial Social Security numbers, bank account data, and, in some cases, passport details. Coinbase disclosed the incident publicly only in May, stating it had declined to pay a $20 million ransom demand and had cut ties with the vendor involved.

Instead, the exchange launched a $20 million bounty program for information related to the breach and pledged to compensate affected users. Fixing the breach could cost Coinbase between $180 million and $400 million, but so far, there’s no sign the company has identified the perpetrator.

Coinbase did not respond to The Defiant’s request for comment.

Omar Azhar, vice president of business development at Matter Labs, the firm behind the ZKsync network, told The Defiant that ZKPs are already being used in real-world settings.

“Using ZK and blockchain-based verifiable credentials for identity is a proven technology that already exists,” Azhar said. “We just need the political movement here in the US to implement it. The government of Buenos Aires already uses verifiable credentials on ZKsync through QuarkID for all their residents when they need to verify identity to anyone in their day-to-day lives.”

Deeper Issues

Security experts say the breach highlights a deeper structural issue in the crypto industry. “The Coinbase incident, yet again, emphasizes how vulnerable centralized systems and single points of failure are to attacks,” David Carvalho, founder and CEO of Naoris Protocol, told The Defiant in May. “Cybercriminals know this and are becoming more and more adept at exploiting these weaknesses.”

Carvalho warned that the problem will only intensify unless firms adopt decentralized approaches to security. “The bottom line is that any sensitive information or data should be protected by a decentralized system, rather than human gatekeepers,” he said.