Privacy-focused Aleo users concerned after KYC documents leak

Decentralized blockchain platform Aleo revealed some users’ information on Feb. 25, according to reports on X (formerly Twitter). The platform focuses on zero-knowledge (ZK) cryptography and uses a third-party protocol for Know Your Customer (KYC).

A user named Emir Soytürk said Aleo mistakenly sent KYC documents to his email. These documents included selfies and ID card photos of another person, making him concerned about the security of his own information.

Another user, Selim C, confirmed the claim, stating that he also got the KYC documents of another person in his email.

To claim a reward on Aleo, users must complete KYC and Anti-Money Laundering (AML) requirements and pass the Office of Foreign Assets Control (OFAC) screening in accordance with Aleo’s internal policies. Users must complete this process when signing up for HackerOne, a third-party protocol to collect users’ unencrypted KYC data.

Cryptocurrencies, zk-Rollup, Decentralization, KYC

Related: Citrea raises $2.7M in seed funding to launch Bitcoin ZK-rollup

ZK layer-1 blockchain platforms focus on providing enhanced privacy and security for users. They employ ZK-proof cryptographic techniques to enable transactions without revealing specific details, ensuring confidentiality.

This privacy-centric approach makes it challenging for external parties to trace or access sensitive information, offering users greater control over their data. These platforms aim to enhance privacy in blockchain transactions, making them securer and more confidential for participants.

Cointelegraph spoke to Mike Sarvodaya, founder of Galactica — a layer-1 blockchain infrastructure — who explained that such a protocol should never theoretically allow access to user data. He said:

“It’s ironic that a protocol for programmable privacy uses a third party to collect users’ unencrypted KYC data after that leaks to the public. Apparently, when your ZK stack is so advanced, you might just forget how to practice basic opsec.”

According to Sarvodaya, the Aleo case ironically underscores the significance of creating storage and proof systems for sensitive data — like Personally Identifiable Information (PII) — based on ZK or fully homomorphic encryption (FHE). In such systems, protocol rules must ensure that no single party can reveal stored data.

The Aleo mainnet is set to launch in the next few weeks, once some final bugs have been taken care of, to bring privacy to crypto transactions, as stated by Aleo Foundation executive director Alex Pruden in an interview with The Block.

Magazine: What did Satoshi Nakamoto think about ZK-proofs?