On February 4, Sumsub disclosed information about a security breach that went undetected for 1.5 years. The incident involved an external threat actor who reportedly submitted a malicious attachment via a 3rd party support ticketing platform, leading to the exposure of personal data of customer accounts.
Sumsub is a platform that offers KYC verification services for individuals, businesses, and transactions, using AI tools to prevent fraud and provide regulatory compliance at a global level.
The platform also provides services to blockchain protocols, including Chainalysis, Merkle Science, TRM Labs, Crystal, and Elliptic.
Sumsub is used by the wider crypto industry to prevent fraud and money laundering, and various key ecosystem players like Bitget, Bybit, MEXC, BingX, and others trust it.
Here’s what we know so far about the platform’s security breach and how it may have affected crypto platforms.
Sumsub’s official statement
On February 4, 2026, Sumsub released an official statement about the security incident, which reportedly took place approximately one and a half years ago. The unauthorized activity was detected retrospectively during a security review in January 2026.
Key findings
Key details about the breach, as revealed in the report, are based on Sumsub’s investigation. and include the following:
- In July 2024, an external actor submitted a malicious attachment via a 3rd party support ticketing platform.
- The malware enabled limited unauthorized access to a support-related internal environment.
- Limited personal data, including names, email addresses, and phone numbers were exposed.
- Biometric data, ID document images, bank accounts, payment details, government-issued ID data, and other higher-risk data were not accessed/compromised.
- Unauthorized activity was confined to the support-related internal environment only.
- Sumsub’s live ID verification workflows, customer APIs, and core production systems were not affected.
- Unauthorized activity didn’t go past July 2024.
Sumsub’s ongoing investigation and response
The platform states that after the security incident-related findings, it took the following measures:
- Initiated incident response procedures
- Engaged forensic experts, including internal/external cybersecurity, supporting analysis, validation, and monitoring
- Notified affected customers directly
Security strengthening measures by Sumsub include the following:
- Enhancing threat protection
- Revisions to tech support personnel access controls
- Enhancing monitoring and incident detection capabilities
- Boosting endpoint protection, data loss prevention controls, monitoring, and logging capabilities, vulnerability scanning, and regular penetration testing
- Implementing bug bounty programs
Sumsub highlighted that it undergoes regular security audits and assessments, including SOC 2 Type II, ISO/IEC 27001, and ISO/IEC 27017 / 27018.
Late incident exposure raises red flags
The fact that a platform that promises security, KYC verification, fraud prevention, and regulatory compliance globally suffered a customer data security breach in July 2024, and the incident was not detected until January 2026, triggers red flags and erodes trust.
Crypto investigator ZachXBT addressed the issue on X, replying to Sumsub’s latest analysis on major fraud and cybercrime cases in January 2026.
On February 9, Sumsub addressed multiple cases from last month, including European crypto money laundering, a credit card scam at a Texas McDonald’s, a Nike data breach, Swedish elderly frauds, a hack of DeFi protocol Truebit, and others.
A bit tone deaf to publish an article on other company incidents when Sumsub just disclosed a threat actor had access to sensitive data that went undetected for 1.5 yrs. pic.twitter.com/IvjCERJRBQ
— ZachXBT (@zachxbt) February 9, 2026
Despite the latest findings, the firm’s credibility is affected by the late exposure of its security incident, raising trust issues about the investigation results so far.
Sumsub responded to ZachXBT that this is their first incident of this kind in 10 years. However, there was another security incident involving Merkur AG in 2025, although no data leaks or breaches were reportedly found.
Potential impact on crypto firms
Sumsub’s 2024 incident may have affected multiple customers of the platform, including crypto firms for which user ID security is crucial.
So far, there are no known mentions of the Sumsub incident online, except for Ndax, a crypto platform in Canada, NHL partner.
The crypto platform mentioned the security incident via X, highlighting that no Ndax systems, passwords, 2FA codes, ID documents, banking, or payment details were exposed. Ndax is currently investigating the Sumsub breach with cybersecurity experts.
Ndax security update: a third-party KYC provider (SumSub) reported a security incident. Only basic contact information (name, phone number, email) may have been accessed.
No Ndax systems were compromised, and no passwords, 2FA codes, ID documents, banking or payment details were…
— Ndax (@ndaxio) February 7, 2026
Security is crucial for crypto platforms
Meanwhile, crypto platforms are advised to choose their security collaborators based on extensive analysis and check key criteria like security and data privacy, potential past incidents, and others.
A recent Bitget and BlockSec report addresses the UEX Security Standard, highlighting core benchmarks for the next generation of exchange security in the ecosystem.
