Big props to @owocki and @MathildaDV for pushing this sensemaking approach forward. One of the biggest pain points I ran into while running Gitcoin Grants was KYC. It is a legal requirement, but it is also an Achilles heel for much of the Web3 space, creating massive honeypots of personal data that are magnets for trouble. I am putting this report forward to explore how Gitcoin could lead the charge in building and testing open-source, privacy-preserving, legally-compliant KYC solutions, and actually dogfood them while allocating funds and making these tools widely available to others in the space.
GG24 Sensemaking Report: Privacy-Preserving, Legally-Compliant KYC for Grants and Web3
Problem & Impact
Every time someone says “KYC,” I picture a giant jar of honey left out in the open. It’s put there with the best intentions, maybe to cook something delicious or feed the community, but it also attracts every bear, wasp, and opportunist in the area.
When I ran Gitcoin’s grants program, that “honey” was stacks of sensitive identity documents sitting where anyone with the wrong intentions could get to them. You don’t have to be a security expert to know that’s asking for trouble. Identity documents are powerhouse bait. You leak them and you have trouble.
We’ve seen the consequences:
- Ledger: customer data breach that exposed names, phone numbers, and addresses to attackers.
- Fractal ID: over 6,300 users exposed, including passports and selfies, because an operator account got compromised (source).
- Transak: hit via third-party KYC vendor access, affecting 92,000 users’ names, dates of birth, ID documents, and selfies (source).
- Coinbase: internal breach where bribed staff leaked 70,000 users’ IDs and addresses (source).
- Quadriga: personal documents sent to a now-infamous exchange operator, later revealed to be fraudulent.
This is not just a security problem, it’s a systemic trust problem. Every time a grant platform, exchange, or protocol uses traditional KYC, it inherits the honeypot risk. One breach can have devastating effects on vulnerable communities—activists, dissidents, and marginalized groups—who depend on privacy for their safety.
Right now, there’s no broadly adopted, open-source, privacy-preserving KYC solution that meets legal requirements and doesn’t store raw personal data. That’s why this is urgent: regulators like OFAC and FATF are tightening compliance rules, while users’ tolerance for surveillance and data risk is plummeting.
Meaning Check: This matters to users because the stakes are personal. When someone’s ID, address, and face are exposed, the risk is not hypothetical—it’s phishing attacks, harassment, stalking, identity theft, and sometimes physical danger. For grants programs like Gitcoin’s, the current model puts both applicants and program staff in a position where sensitive data is accessible, creating liability and anxiety on both sides.
Sensemaking Analysis
Tools used:
- Comparative breach analysis of Web3 and fintech KYC incidents.
- Stakeholder perspective from running Gitcoin’s grants program and participating in other KYC-heavy ecosystems like Thrive.
- Evaluation of emerging privacy-preserving identity technologies, including zero-knowledge proofs (ZKPs), verifiable credentials (VCs), and “proof of clean hands” frameworks.
Sources consulted:
- Public reporting on KYC data breaches from CoinTelegraph, CryptoSlate, The Paypers, and others.
- Gitcoin governance discussions on trust, compliance, and domain stewardship.
- Technology documentation from projects like Holonym, Human Passport, and zkKYC research groups.
Data aggregation:
I cross-referenced breach incidents with the KYC vendor model used, looked at whether storage was centralized or encrypted, and identified where insider access was possible. I also compared legal requirements (OFAC, FATF, GDPR) against technical capabilities of ZKPs and VCs to confirm that privacy-preserving compliance is viable.
The picture is clear:
- Centralized document storage is the most common failure point.
- Insider abuse is almost as common as external hacks.
- There is no shortage of technical approaches—what’s missing is an open, trusted, well-funded space to develop and scale them.
Gitcoin can use GG24 as a platform to surface, test, and scale multiple approaches to privacy-preserving KYC, then “dogfood” the winning prototypes in live grant rounds.
Gitcoin’s Unique Role & Fundraising
Unique role:
Gitcoin can do what few organizations can: fund public goods, run experiments in production, and convene developers, legal experts, and privacy advocates in the same room. This is not about picking one vendor. It’s about running an open competition of ideas and implementations.
Gitcoin’s grants is the perfect live environment to test these solutions at scale, using real users and real compliance needs. The process itself can be part of the experiment
whether through a conventional grant round, a deputized expert panel, quadratic funding for community-vetted tools, or hybrid approaches.
Why a network, not one org:
The privacy-preserving KYC challenge is too broad for a single company to solve. A network approach allows multiple vendors to emerge, iterate, and compete. This avoids lock-in, reduces systemic risk, and encourages interoperability.
Fundraising reality check:
This is a problem the ecosystem will pay to solve. Likely sponsors and partners include privacy tech orgs, compliance-conscious DeFi protocols, exchanges and foundations focused on open-source infrastructure. There is a clear path to $50K+ in matching funds from sources like:
- Ethereum Foundation’s Privacy & Scaling teams.
- Protocol Labs (Filecoin/Libp2p ecosystem).
- ZK technology grants programs.
- Public goods funds from major L2s (Optimism, Arbitrum).
- Centralized exchanges and other venders like Coinbase
Success Measurement & Reflection
Outcomes in 6 months:
- At least two open-source, ZKP-enabled KYC systems deployed by GG25
- No raw ID data stored in human-readable form.
- At least one system passes an independent compliance and legal audit.
- One other grant platform or crypto protocol adopts a funded solution.
Measuring genuine impact:
Beyond counting active integrations, we can measure:
- Reduction in sensitive data exposure points for Gitcoin staff and grantees
- Audit results confirming privacy and compliance claims.
Satisfaction test:
In 6 months, the Ethereum community should be able to say:
- “We’ve proven that you can run a legally compliant KYC process without building a data honeypot.”
- “We have open-source reference implementations anyone can adopt.”
- “We used Gitcoin to fund and test it ourselves.”
Domain Information
Proposed domain: Privacy-Preserving Compliance Infrastructure
Domain experts:
- Privacy tech developers (e.g., Holonym, zkKYC researchers)
- Crypto-savvy compliance lawyers
- Gitcoin grants ops veterans
- ZK and AI computer vision engineers
Mechanisms:
- Quadratic funding rounds for community input.
- Milestone-based direct grants with expert reviewers
Sub rounds:
Yes. Could include:
- Prototype sprint.
- Audit and compliance challenge.
- Integration round for adopting platforms.
I am very much open to iterating on the methodology or structure for this idea, the key thing is creating a space for finding working, legally compliant KYC solutions that are open source and privacy preserving.