Coinbase Pushes for ZK-enabled AML Overhaul Just Months After Data Breach

Just months after suffering a major data breach, Coinbase is now pointing to cryptographic privacy tools as a potential fix for what it calls “arcane” financial crime laws.

In an Aug. 4 blog post, Coinbase’s chief legal officer, Paul Grewal, argued that the U.S. Bank Secrecy Act, which governs financial reporting and know-your-customer (KYC) rules, is outdated.

He urged lawmakers to modernize the framework by allowing the use of zero-knowledge proofs (ZKPs), a cryptographic tool that can prove facts about users, such as age or residency, without exposing their full personal data.

Grewal says the current version of the Bank Secrecy Act is “still rooted in decades-old requirements that reflect paper-based compliance protocols and a financial system in which funds moved over days, not seconds.”

“Beyond the annoyance customers feel every time they repeat the KYC process, these personal files are honeypots for criminals. Companies are required by law to hold your data for years and to send that data to bureaucrats,” Grewal explained.

In contrast, ZKPs could allow users to verify identity credentials while reducing the risks associated with storing sensitive data. Law enforcement would still retain the ability to subpoena full records if necessary, he said.

Data Breach

Grewal's post comes less than three months after Coinbase revealed that nearly 70,000 customers were affected by a data breach linked to third-party contractors.

The breach, which began in December 2024 and was discovered only in January, involved unauthorized access to ID images, partial Social Security numbers, bank account data, and, in some cases, passport details. Coinbase disclosed the incident publicly only in May, stating it had declined to pay a $20 million ransom demand and had cut ties with the vendor involved.

Instead, the exchange launched a $20 million bounty program for information related to the breach and pledged to compensate affected users. Fixing the breach could cost Coinbase between $180 million and $400 million, but so far, there’s no sign the company has identified the perpetrator.

Coinbase did not respond to The Defiant’s request for comment.

Omar Azhar, vice president of business development at Matter Labs, the firm behind the ZKsync network, told The Defiant that ZKPs are already being used in real-world settings.

“Using ZK and blockchain-based verifiable credentials for identity is a proven technology that already exists,” Azhar said. “We just need the political movement here in the US to implement it. The government of Buenos Aires already uses verifiable credentials on ZKsync through QuarkID for all their residents when they need to verify identity to anyone in their day-to-day lives.”

Deeper Issues

Security experts say the breach highlights a deeper structural issue in the crypto industry. “The Coinbase incident, yet again, emphasizes how vulnerable centralized systems and single points of failure are to attacks,” David Carvalho, founder and CEO of Naoris Protocol, told The Defiant in May. “Cybercriminals know this and are becoming more and more adept at exploiting these weaknesses.”

Carvalho warned that the problem will only intensify unless firms adopt decentralized approaches to security. “The bottom line is that any sensitive information or data should be protected by a decentralized system, rather than human gatekeepers,” he said.

Legal and Practical Barriers

Shiv Shankar, CEO of Boundless, a decentralized marketplace for ZK compute, called Grewal’s proposal timely.

“The assumptions behind existing compliance frameworks, centralised data collection, repeated identity disclosures, and manual transaction review reflect the constraints of outdated systems,” Shankar said in a commentary for The Defiant. “Modern cryptography offers a more precise and privacy-preserving alternative.”

But some in the industry argue that even though the idea sounds good, it has serious legal and practical challenges.

Hon Ng, chief legal officer at Bitget, told The Defiant that the Bank Secrecy Act, as it stands, “provides limited flexibility.” He noted that institutions are required to know their customers, not merely verify cryptographic attestations.

“Even if the data is verified elsewhere, if your company is subject to BSA/AML rules, you still need to be able to furnish that data upon request, either to law enforcement or regulators,” Ng said.

“In authentic ZKP systems, verifiers do not access underlying data. However, U.S. compliance requires auditable trails and responsive data access, capabilities that ZKP models cannot provide unless supported by centralized issuers, thereby negating privacy advantages,” the Bitget CLO explained.

Ng said companies like Coinbase could pilot ZKPs in limited compliance settings, but full-scale adoption would require “comprehensive regulatory reform to become viable.”

Edwin Mata, CEO of tokenization firm Brickken, echoed that view. He called Grewal’s stance “visionary but not yet practical at scale.” While the technology exists, Mata said, the U.S. legal environment is not yet equipped to treat cryptographic attestations as legally sufficient.

He also pointed to implementation costs and legal ambiguity around custodianship. “A privacy-preserving system that limits issuer access might improve user confidentiality, but it introduces ambiguity around custodianship of information, auditability, and enforceability,” Mata said. Without clear legal interoperability, this could become a compliance liability rather than a solution.

Mata added that meaningful change would require new standards, updated laws, and incentives for institutions to overhaul legacy systems. “Without doing so,” he warned, “the benefits of innovation risk being limited to narrow use cases, rather than enabling systemic change.”

Disclaimer: This article has been updated to add further expert commentary and additional context with the section "Legal and Practical Barriers"