When Coinbase disclosed earlier this month that a group of rogue overseas support agents had accessed customer data, the company emphasized that no passwords, private keys, or funds were compromised. But a new twist is raising alarm bells across the crypto world.

Today, an image surfaced online that appears to show Solana cofounder Raj Gokal holding his passport—part of the standard KYC (Know Your Customer) process required by most crypto exchanges. The photo was reportedly leaked through the hacked Instagram account of the former rap trio Migos, adding a bizarre layer of celebrity involvement to what is shaping up to be a major privacy crisis. The caption on a post by the hacked account read, "you should've paid the 40 btc," seeming to reference an extortion attempt. The posts have since been deleted.

While the exact source of the leak has not been confirmed, many in the crypto community believe it may be connected to the Coinbase breach. If that’s true, it would suggest that biometric-style verification images—photos of individuals holding government IDs—may have been among the compromised data. “This is like 10 times worse than a regular KYC leak,” one observer wrote. “If they have the KYC for the founders of Solana, then they have the KYC for every single person that ever used their platform.”

Even more disturbing, the leak reportedly included personal details about the founder’s wife, raising questions about whether the attack was targeted and whether more high-profile figures could be next.

The broader implication is chilling: KYC systems that rely on centralized storage of biometric data may be fundamentally flawed. Unlike email addresses or passwords, images of your face holding a passport are not something you can “reset” after a breach. These documents are often used across multiple platforms and jurisdictions, making the potential for identity theft, blackmail, or fraud far more severe.

While no direct link has yet been confirmed between the Solana leak and Coinbase’s breach, the timing and content of the leak are enough to raise alarm. If one of the most prominent founders in the industry isn’t safe, it calls into question the security practices of even the most regulated platforms.

The crypto community is left asking: If this is what we know now, what else is still hidden?