Sumsub, IDMerit, Yoti: the arc showing that KYC centralization is the worst vector of 2025-2026

Three episodes that form a pattern

January 2026: Sumsub reveals that its infrastructure had been compromised since July 2024. The attack remained undetected for approximately eighteen months. Affected clients include Bitget, Bitpanda, Bybit, Huobi, and Wirex. Sumsub being one of the three largest global KYC providers, the event is of strategic magnitude.

February 2026: Cybernews publishes the results of an investigation into a publicly exposed MongoDB database by IDMerit. The database contained approximately one billion personal records (out of three billion total records with duplicates), covering 26 countries. The data includes full names, residential addresses, dates of birth, national identity numbers, phone numbers, emails, and telecom metadata. The database had been exposed since November 2025 and was secured on November 12, 2025 following notification.

June 2026: A GrapheneOS user publishes a screenshot of a Yoti support email, claiming that his OS caused him to be reported to authorities during a Sony PlayStation age verification. Denial and counter-denial circulate within 72 hours. The credibility of the screenshot remains disputed, but the March 2026 precedent (Yoti sanctioned by the Spanish AEPD to the tune of 950,000 euros for biometric mishandling) suggests a pattern of approximate management.

Three episodes, seven months, three different vendors, three different compromise mechanisms: undetected intrusion, faulty configuration, operational drift. Over 18 cumulative months, this is statistically difficult to classify as independent accidents.

Why this pattern, why now

KYC centralization established itself as the dominant architecture in the 2020-2024 period under the combined effect of regulatory pressure (FATF Recommendation 16, AMLD5, AMLD6, MiCA) and economies of scale. A single vendor serves several hundred platforms. The consequence is concentration of sensitive data in infrastructures whose target value for an attacker bears no relation to their public visibility.

In 2025, several factors accelerated the exploitation of this concentration. The maturation of fuzzing tools for exposed NoSQL databases, the proliferation of credentials stolen via infostealers, and the operational difficulty of auditing a third-party SaaS vendor. KYC vendors operate in an intermediate transparency zone: regulated enough to be compelled into certifications (ISO 27001, SOC 2), but not enough to be audited annually by their regulators like banks.

The consequences for already verified users

A user who has completed KYC with one of the five exchanges affected by Sumsub technically cannot revoke their data. ID documents, selfies, and biometric records remain somewhere in a compromised infrastructure over which they control neither retention nor distribution. This is an operational truth that deserves to be named. KYC, once done, is irreversible. Any subsequent compromise of the vendor exposes a complete lifetime of identification.

For a user who finds themselves in this situation, effective actions are limited: continuous monitoring of breach databases (haveibeenpwned), updating emergency contacts with banking institutions, and preparing for the scenario where secondary credentials (security questions, biometric identifiers) may have leaked alongside ID documents.

The options for users who have not yet verified

The central argument of this arc is that deferring KYC, when possible, has become a rational decision for the user. Not out of ideological principle, but out of probability calculation. Submitting an ID document to a SaaS vendor in 2026 means accepting a non-negligible probability that this data will be exposed within the next three years. The exact probability is not calculable, but the 2024-2026 history places it clearly above the acceptable threshold for an informed user.

Workarounds, for use cases that allow them, have long been described within the scope of our directory. Prepaid cards without verification (PinToPay, FotonCard, Goblin Card for everyday use), P2P exchanges without KYC for purchasing Monero or Bitcoin (Haveno, Bisq, BasicSwap), email aliasing for services that require a verified email without imposing ID verification. None of these solutions cover all cases. All reduce exposure.

The political question

The Sumsub-IDMerit-Yoti arc implicitly raises a political question that current regulation does not address. If centralized KYC is the architecture required by regulators, and if this architecture is demonstrated to be structurally vulnerable, then regulators bear shared responsibility for the resulting compromises. This responsibility is nowhere explicitly assumed. ESMA, FinCEN, FCA, AEPD still operate on the assumption that KYC is a net benefit.

Alternatives exist, in theory. Decentralized identity proofs, zero-knowledge credentials, offline cryptographic attestation. None of these solutions has yet reached mature commercial stage, and their regulatory adoption is nil. This is a gap that will need to be closed.

Verdict

The Sumsub-IDMerit-Yoti arc is not a series of accidents. It is the empirical demonstration of a structural fragility in the centralized KYC model. For our readership, the operational consequence is clear: minimize exposure, choose services that accept less intrusive verification, and accept that an ergonomic compromise today reduces an exposure risk tomorrow. For regulators, the political consequence is harder to acknowledge. The directory will continue to flag compromises as they are published.