@StarkWareLtd has unveiled a zero-knowledge identity system designed to let users pass a KYC check without surrendering their personal data to a central verifier. The prototype, called Private KYC, is built on STRK20, @Starknet's privacy layer, and works by flipping the logic of how identity verification is typically done.
How it works
A user scans their passport using their phone's NFC chip. That identity data is then encrypted and bound to their own Starknet account rather than stored on a third-party server. When a KYC check is required, the system generates a zero-knowledge proof of just the fact that matters, such as confirming the user is over 18, while name, date of birth, and document number remain sealed. No central verifier holds a copy of the document, so there is no database to breach.
STRK20, which launched in early June, introduces zero-knowledge privacy features for ERC-20 tokens, letting users shield balances and make private transfers without moving assets to a separate privacy chain. The technical architecture relies on client-side zero-knowledge proofs built with StarkWare's Stwo prover and Cairo programming language. Private KYC extends that same infrastructure into identity verification.
Targeting a well-documented problem
The timing of the demo is pointed. A KYC store becomes a data honeypot the moment it concentrates identity records someone else wants, and that concentration is something the rulebook compels, not something a control choice creates. The scale of recent incidents makes the case plainly: IDmerit, disclosed in February 2026, exposed a data set running to roughly 1 billion records, including approximately 203 million US records. Unlike traditional passwords or credit card numbers, biometric data cannot be changed if compromised, posing long-term security risks. If fingerprints or iris patterns are stolen, the victim is permanently vulnerable to identity theft.
StarkWare's architecture sidesteps this problem by design. Because no raw document is ever handed to a verifier, there is no archive to steal. StarkWare chief executive Eli Ben-Sasson has said zero-knowledge systems could allow future investigations to request narrower information, though the approach has not yet faced broad regulatory testing, and institutions will still need to assess its legal, security, and operational controls before adoption.
For now, Private KYC is a demonstration pitched at government and institutional audiences, not a live product. Whether regulators will accept a ZK proof as a substitute for a stored document copy remains an open question. But as centralized identity databases continue to attract attackers, the architectural argument for an alternative is only getting stronger.
Sources:
Starknet: Make ERC-20 Tokens Private with STRK20
Finextra: The KYC Data Honeypot Is a Retention Mandate, Not a Security Failure
Fincrime Central: IDMerit data breach, 1 billion records exposed