Starknet Private KYC is StarkWare’s latest attempt to decouple identity verification from bulk data collection, letting users prove age, credential validity or eligibility through zero-knowledge STARK proofs without handing over a full passport scan to every platform that asks.
The system, released as a demo, begins when a user scans a passport on a phone. The camera and NFC chip authenticate the document against its issuing authority’s signature. Identity data is then encrypted to a Starknet wallet, and users can register selected attributes in a public on-chain registry. Verifiers query zero-knowledge proofs against that registry and see only the confirmed fact, not the underlying document.
‘Identity checks today ask for your whole document when they only need one fact,’ said the Starknet team.
Why the Breach Numbers Make the Case for Starknet Private KYC
The timing is deliberate. IBM’s Cost of a Data Breach 2025 report puts the global average cost of a data breach at $4.44 million, rising to $10.22 million for breaches in the United States specifically. Healthcare sits highest across all industries at $7.42 million per incident, the 14th consecutive year it has held that position.
IBM’s research also identifies phishing as the most common breach vector, responsible for 16% of incidents at an average cost of $4.8 million per attack. The credential databases that KYC processes produce are a natural phishing target.
The ITRC 2025 Annual Data Breach Report recorded 3,322 U.S. data compromises last year, a 4% increase from the previous record of 3,152 set in 2024 and the third successive year above 3,000. Victim notices reached 278,827,933. According to ITRC data, 70% of breach notices contained no attack-method information, up from 65% in 2024 and 45% in 2023, a trend that makes attribution and prevention harder. The overall five-year increase stands at 79%.
Crypto users already have a concrete reference point. Ledger’s 2020 breach exposed more than 1 million email addresses alongside names, phone numbers and physical addresses, demonstrating that custodied identity data attracts the same risks as any other centralised store of records.
‘Private KYC shows that verification and privacy aren’t a trade-off,’ said StarkWare.
STRK20 Provides the Privacy Infrastructure
Private KYC sits inside StarkWare’s broader STRK20 privacy framework. Starknet’s official blog confirms STRK20 is live: when an ERC-20 asset is shielded, it is deposited into the STRK20 privacy pool and represented as an encrypted note. The first STRK20 phase also introduced strkBTC, positioned as private Bitcoin on Starknet.
STRK20 lets ERC-20 assets move between public and shielded states while zero-knowledge proofs confirm that private actions comply with network rules. The framework preserves a path for lawful, targeted disclosure, which StarkWare frames as a risk-based compliance layer rather than a legal safe harbour.
Private KYC applies that same selective-disclosure logic to identity. Users keep encrypted data in their own Starknet wallet rather than distributing full document copies to each platform. The model contrasts with World ID, which also uses zero-knowledge proofs but draws criticism for its iris-scanning biometric collection step. StarkWare’s implementation stays passport-based and phone-native.
As HIPAA Journal noted in its coverage of the 2025 breach record, the scale of compromised personal data is now a systemic issue rather than an isolated compliance failure. Architectures that limit what gets collected in the first place are gaining traction across regulated verticals, and healthcare’s persistent lead in breach costs is pushing that conversation faster than the crypto sector alone.
Adoption still requires legal review across each jurisdiction, verifier-side app support and independent security audits. The demo stage means none of those boxes are ticked yet. Whether regulators accept a registry-and-proof model in place of document custody is the binary that determines whether this moves beyond a proof of concept.
