A security investigation has accused Persona, the company handling know-your-customer checks for OpenAI, of sending user data including crypto addresses to federal agencies like FinCEN. Researchers found code that enables monitoring and reporting of suspicious activities. Persona denies current ties to federal agencies.
On February 18, security researchers vmfunc, MDL, and Dziurwa published an investigation revealing publicly accessible code in Persona's system that appears to transmit data collected during OpenAI's KYC process to the Financial Crimes Enforcement Network (FinCEN), a US Treasury bureau. This data includes passport photos, selfies, and videos submitted by users verifying their identity to access advanced ChatGPT features. The code, in place since November 2023, also integrates with Chainalysis to screen associated crypto addresses for risks, analyze interactions, and enable persistent monitoring via a watchlist system.
The researchers highlighted the platform's capabilities, stating, “The same company that takes your passport photo when you sign up for ChatGPT also operates a government platform that files Suspicious Activity Reports with FinCEN and tags them with intelligence programme codenames.” They added, “So you uploaded a selfie to use a chatbot? Congratulations! It’s now being compared against a database of every politician, head of state, and their extended family tree on earth.”
Multiple security experts, including Tanuki42 from blockchain incident response groups, confirmed the findings' credibility, noting that the cited government domains exist and are likely hosted by Persona. However, questions remain about motives, usage, and exact criteria for triggering screenings or reports.
Persona CEO Rick Song responded on X, expressing disappointment and claiming the researchers did not contact him beforehand. In emails shared by Song, he stated that his company does not work with any federal agency today, though he did not directly address the code's implications. A post from Song read, “I am genuinely disappointed in how all of this has been handled,” and praised vmfunc's talent. OpenAI and Persona did not respond to requests for comment from DL News.
The revelations raise concerns amid growing unease over KYC requirements, which screen against sanctions, terrorism links, and financial crimes but also expose users to potential data misuse or breaches. Retention periods are unclear, with discrepancies between OpenAI's stated one-year limit and code indicating up to three years or permanent storage for government IDs.
