A crypto trader known as TraderSZ recently went public with claims that a former employee of the fintech company Revolut had targeted him for extortion. The ex-staffer allegedly dug up the trader’s personal details from internal systems, then reached out to family members who also used the app, threatening to leak Know Your Customer (KYC) information and other private data unless a crypto-denominated ransom was paid. TraderSZ shared screenshots of the messages and his exchanges with Revolut support.
Revolut later confirmed the incident to crypto-focused media outlet Cointelegraph and said it had reported the former employee to law enforcement. A spokesperson stated, “This matter relates to the unlawful and criminal actions of a third party, who is a former employee.”
Reminder to be careful when using @Revolut
Their employees have tried to extort me threatening to share my personal details
They looked up my details and found any other family member using Revolut and contacted them to force to pay up or be blackmailed
Other people on ct… https://t.co/jCCyC4a4Gz pic.twitter.com/8KGQ345HUN
— TraderSZ (@trader1sz) February 19, 2026
Revolut insists no systems were breached, yet the fact that a single ex-employee could access sensitive customer records highlights the core problem. As noted cypherpunk and Satoshi candidate Nick Szabo pointed out years ago in his essay “Trusted Third Parties Are Security Holes,” relying on any central intermediary to hold private keys or personal data simply shifts risk to that single point of failure.
This sort of philosophy sits as one of the core tenets behind the original creation of Bitcoin and its associated blockchain technology, which decentralizes the data security issue and keeps it in the hands of each individual end user. There is now a growing tension between those who want to retain this ideology and crypto startups that are increasingly taking centralization shortcuts in an effort to move fast and gain user adoption by any means necessary.
Of course, regulators and lawmakers effectively force fintechs and banks into this model through anti-money laundering and Know Your Customer rules. Companies must collect passports, addresses, transaction histories, biometrics, and other personal data to comply. The result is exactly what cypherpunks warned against: massive centralized databases that become honeypots for insiders and outsiders alike.
So I don’t know why more people don’t scream about this but KYC does not prevent crime.
I’m gonna lay out the numbers here because people do need to see this. The cost of pretending it works is measured in actual human lives now. follow along 🧵 1/15
— Grafton (Disco) @ Vexl (@satsdisco) February 20, 2026
Grafton Clark, who is head of growth at peer-to-peer bitcoin exchange app Vexl, laid out the data associated with this issue in an X thread. Peer-reviewed research by Ronald Pol, senior researcher at La Trobe University in Australia, shows AML/KYC rules catch less than 0.1% of criminal funds. Global compliance costs exceed $200 billion annually, while recoveries sit below 2% in the EU and 0.2% in the US, which means the system spends over 100 times more than it recovers.
These databases also link real-world identities directly to crypto holdings, turning users into visible targets for physical theft. “These people aren’t being targeted because of Bitcoin,” Clark wrote. “They’re being targeted because their identity was linked to their holdings. That is KYC.”
At the same time, fully KYC-compliant banks have also moved hundreds of billions in laundered money for criminals with little real consequence, with a case involving the processing of $160 billion with little to no oversight by the largest bank in Denmark’s Estonian branch as just one example. However, blockchain data indicates criminal use of crypto, particularly stablecoins, is also on the rise with a reported processing of a record $154 billion in illicit transfers last year.
Data Show Rising Physical Threat to Crypto Users
There is also data to back up Clark’s claims of the physical threat these systems create for crypto users. A new report from physical crypto security firm Gart documents 305 publicly verified cases of crypto-targeted physical attacks from 2014 through early February 2026. 2025 set the record with 76 incidents, and the first six weeks of 2026 indicate that number could be matched or even exceeded this year.
Two recent U.S. examples illustrate how data leaks enable these “$5 wrench attacks.” In one incident that mirrored a previous episode of Black Mirror, two teenagers posed as delivery drivers, duct-taped victims in their Scottsdale, Arizona home, and demanded $66 million in crypto on orders from extortionists who supplied the target details. In San Francisco’s Mission Dolores neighborhood late last year, a gunman posing as a delivery driver tied up a resident and stole $11 million after forcing access to wallets. Both cases echo tactics seen in dozens of documented home invasions and kidnappings worldwide.
And data breaches from centralized entities can supply the targeting information for these attacks. Last year, Coinbase customer service agents were bribed for customer data. A French tax official allegedly used government software to pull crypto investor records and sold them to criminals. Ledger’s third-party payment processor also suffered a breach, following the crypto hardware wallet manufacturer’s earlier 2020 leak that exposed addresses of nearly 272,000 customers and led to phishing and physical threats.
These sorts of centralized entities in crypto create issues of all kinds no matter who runs them. The son of a top executive at a firm in charge of storing U.S. government crypto assets was recently accused of stealing $40 million worth of those assets. In South Korea, a crypto exchange accidentally transferred $43 billion in paper bitcoin to users, which is an amount they don’t even control according to on-chain data.
While decentralized finance (DeFi) is oftentimes referred to as a solution to these issues, DeFi protocols have suffered “Office Space” style bugs and other exploits that required centralized rollbacks, pointing to the reality that the “de” in DeFi is often nothing more than theater for marketing purposes. These sorts of hacks have, at times, created an existential crisis for this technology. That said, there is also clearly some value here when it comes to simpler, steadier protocols like Bitcoin, at least for those who are willing and able to take the responsibility of securing their own assets.
Seventeen years after Bitcoin’s genesis block, the reality is self-custody of digital assets still isn’t simple for most people. While hybrid approaches where keys are split between user devices and trusted multisig signers could offer a middle ground between complete decentralization of custody and a model of bitcoin banking, better solutions for securing both personal data and crypto assets at centralized firms are urgently needed.
As the Electronic Frontier Foundation has repeatedly highlighted in the past, there is likely a mismatch of incentives here that may need to be fixed through legislation. In commentary following the Equifax breach settlement all the way back in 2017, the EFF noted that “the lack of legal accountability means that the companies that hold our sensitive data continue to have insufficient incentives to take the steps necessary to protect us against the next breach.”
That said, as Pol’s aforementioned research indicated, the first step towards fixing things may be simply admitting that there is indeed a serious problem here. “Frankly acknowledging policy failure can start the process of overcoming it,” wrote Pol.
Read the full article here
