OpenAI's KYCKnow Your Customer rules require users to submit identity information such as passports, selfies, addresses, or phone numbers before accessing a service.Glossary → Provider Can Tie Your Wallet to a Government Report
When OpenAI asks for identity verification, you hand over a passport photo, a selfie, and a face video to Persona (persona.com). Most people assume the job is simple: verify age or identity, then discard the data. Research published in February 2025 argued the pipeline goes much further.
Researchers vmfunc, MDL, and Dziurwa said Persona's publicly accessible code included functions to file Suspicious Activity Reports directly with FinCEN, screen crypto wallet addresses through Chainalysis, and tag records with intelligence programme codenames. They said the code had been present since November 2023.
What Happens When You Do KYC for ChatGPT
OpenAI uses Persona for features that require identity checks. The front end looks routine: upload a passport or driver's license, take a selfie, record a short face video. Persona runs liveness checks and document authentication. OpenAI gets a yes or no.
The researchers said the back end is much broader than the public policy suggests:
What the Code Actually Shows
The researchers said they worked from Persona's publicly accessible code, not a breach, not a leak, and not rumor. They documented these functions:
| Capability found | What it does | Who receives the data |
|---|---|---|
| SAR filing | Files Suspicious Activity Reports on flagged users | FinCEN (US Treasury) |
| FINTRAC reporting | Files equivalent suspicious transaction reports | FINTRAC (Canada Treasury) |
| Intel programme tagging | Tags user records with codenames before filing | Classified intelligence programmes |
| Chainalysis screening | Screens linked crypto wallet addresses for risk score | Chainalysis API / Persona database |
| Persistent wallet monitor | Continuously re-polls wallet addresses against cluster graph | Chainalysis / Persona / FinCEN (if flagged) |
| Government ID retention | Retains passport/DL scans indefinitely | Persona database |
Security researcher Tanuki42 of SEAL911/zeroShadow reviewed the findings and said the government domains cited appear real and likely hosted on dedicated Persona infrastructure. DL News reported the story in February 2025.
Persona CEO Rick Song replied on X that Persona was not currently working with federal agencies. He did not answer the specific claims about SAR functions, Chainalysis integration, or permanent ID retention flags.
The Data Retention Problem
The gap is simple. OpenAI says KYC data is kept for "up to a year." The code the researchers reviewed pointed to this:
- General KYC data: maximum 3 years
- Government-issued identity documents: permanent retention
If that reading is right, deleting your OpenAI account does not mean your passport scan disappears. The identity document can stay in Persona's system indefinitely, ready for a later SAR filing or government request.
Why This Matters for Crypto Users Specifically
For a typical ChatGPT user, this can sound abstract. For crypto users, especially people who hold privacy coins, use no-KYC swaps, or have touched mixingA broad term for techniques or services that attempt to break visible links between cryptocurrency inputs and outputs by pooling or rerouting funds.Glossary → tools, the risk is concrete.
The persistent wallet monitor creates a sequence like this:
- You submitted KYC for ChatGPT in 2024. Your passport is now permanently on record.
- Your wallet address was associated with your identity during that process.
- In 2026, you use a no-KYC swap to exchange Monero for Bitcoin.
- Chainalysis clusters your Bitcoin address with a "high-risk" pattern.
- Persona's persistent monitor flags the wallet. Your old identity record is pulled back up.
- A SAR is filed with FinCEN. You are never told.
That is the system the researchers described. The code had reportedly been live since November 2023.
The structural issue: KYC creates a durable link between identity and wallet history. Better privacy habits later do not erase that old link if it already lives in a database that can file SARs. The cleanest defense is to avoid KYC-heavy services, or to make sure future wallets have no chain link to the old identity.
What You Can Do
The Broader Pattern
Persona is not a niche vendor. It supplies KYC infrastructure to many companies beyond OpenAI, including fintech firms, crypto exchanges, and gig platforms. If the reported SAR and Chainalysis features sit at the platform level, the issue reaches far beyond one customer.
That is what KYC looks like at scale: not a small compliance step, but a standing surveillance pipeline with direct government reporting built into the product. Every quick identity check can become a durable record that links your biometrics, documents, and wallet history.
The policy says one thing. The code, according to the researchers, says another.
Source: DL News, February 2025. vmfunc.re security research by vmfunc, MDL, and Dziurwa. Cunicula receives no funding from government agencies, political organizations, or financial services companies.
Follow the Money
Persona sells KYC infrastructure backed by venture capital. FinCEN runs the federal database on the other end. Every identity check feeds both systems.
- Persona Technologies
- $150M Series C · a16z + Index Ventures · clients: OpenAI, Brex, Mercury, Gusto · Chainalysis pre-screening integrated · govt ID retained permanently
- FinCEN / SAR system
- $3T in transactions flagged annually · SAR database accessed by FBI · DEA · IRS-CI · BSA compliance industry $500M+/yr
- No-KYC alternative
- Trocador · Haveno · SideShift → $0 Persona revenue · $0 Chainalysis pre-screen · 0 SARs generated
Frequently Asked Questions
Does OpenAI share KYC data with the government?
OpenAI uses Persona as its identity verification provider. Researchers in February 2025 said Persona's code included functions to file Suspicious Activity Reports directly with FinCEN, file similar reports with Canada's FINTRAC, and tag user data with intelligence programme codenames. Persona CEO Rick Song denied working with federal agencies at the time, but did not answer the specific code findings.
What does Persona do with your passport photo?
Researchers who reviewed Persona's code said government IDs submitted during KYC are kept permanently, even though OpenAI says data may be retained for up to a year. The code set most data to a maximum of 3 years, while government IDs were marked for permanent retention. Researchers also said linked crypto wallet addresses were screened through Chainalysis.
Is my crypto wallet address being monitored if I did KYC for ChatGPT?
Researchers said Persona's code linked KYC identities to crypto wallet addresses and screened them through Chainalysis. They also said this was not a one-time check. Once a wallet address entered the system, it could be polled indefinitely against Chainalysis' cluster graph. If a related address was flagged later, your identity was already attached.
What AI services don't require identity verification?
The safest option is a local LLM on your own hardware. Models such as Llama, Mistral, and Phi can run offline with no account, no KYC, and no data leaving your device. If you need a cloud service, look for one that takes anonymous payment and does not ask for government ID. See our guide to private AI and local LLMs for setup steps.
What is a Suspicious Activity Report and why does it matter for crypto users?
A Suspicious Activity Report, or SAR, is a secret filing that financial institutions send to FinCEN when they suspect illegal activity. You are not told when one is filed, and you cannot challenge it directly. For crypto users, SARs can attach wallet addresses, transaction patterns, and on-chain behavior to the same federal databases used by the FBI, DEA, and IRS.