Secret Investors and Data Leaks: The Story of Sumsub—a KYC/AML Platform That Was Never Verified
This massive online KYC/AML service has been operating in global markets for over 10 years, verifying millions of users and more than 4,000 client companies. But, as it turned out, the service itself had not undergone verification; no one had checked its reliability, origin, or beneficial owners. And when they began to investigate more closely, the service turned out to be very similar to the Kremlin’s “Trojan horse.”
Such a seemingly unthinkable scenario is currently unfolding in the Know Your Customer (KYC) verification segment. At the center of the scandal is the Sumsub platform. IT market participants have a barrage of questions for it across several areas: Have the Russian founders retained influence over the company? Why is there no up-to-date information about investors? And how were they able to conceal instances of confidential information leaks for years?
UA.News explains how a company that sells guarantees of identity authenticity cannot confirm its own verification; what risks this poses to its clients; and what legal experts think about the matter.
Data Security Weaknesses
Many online services conduct KYC/AML checks to comply with international market requirements and the “know your customer” principle. Through such a service, one can verify an individual, a company, or specific transactions. The procedure itself seems simple—the user uploads their passport details and takes a selfie. The complexity arises at the stage of storing this data and unauthorized access to it.
It was precisely several cases of data leaks, as well as the cover-up of these incidents, that drew the attention of journalists from international industry publications to the Sumsub platform. After all, for over 10 years, the company has been handling customer verification: document recognition, database checks, risk assessment, and assistance with KYC/AML compliance in various countries.
The first incident occurred in July 2024. An external attacker sent a malicious attachment via a third-party application processing platform to Sumsub’s support service and gained access to customers’ names, email addresses, phone numbers, and accounts.
No one at the company noticed anything for eighteen months. Sumsub’s internal security audit, conducted in January 2026, retroactively identified the attacker—unnoticed—a year and a half after the door to the “vault” had been opened.
The second incident occurred in February 2026. This involved a public data breach. The company, which processes biometric data and government-issued IDs to ensure compliance with regulatory requirements in the global finance sector, has been hosting an “uninvited guest” since the summer of 2024.
Sumsub representatives officially stated that access to biometric data was not granted, and the situation did not involve images of IDs or government ID data. The breach affected only the environment related to service support. Only names, email addresses, and phone numbers were exposed.
The Sumsub team also came up with a crisis PR strategy: they published a blog post highlighting instances of fraud at other companies.
Both moves drew criticism from market experts. It was noted that a company that had just admitted to an undetected breach lasting 18 months had no right to publish a ranking of other companies’ security failures.
Criticism of the structure and security at a company that handles verification itself touches on deeper issues than the incidents themselves. A centralized KYC infrastructure inherently poses a risk of concentration. Any exchange, fintech company, or analytics firm that outsources identity verification to a single provider creates a single point of entry. Thus, a single security breach could lead to the simultaneous exposure of verified user identities across the entire client list.
What lawyers are focusing on
Lawyers from one of the fintech companies explained in a comment to UA.News that the use of an unverified verification tool may indicate a lack of proper technical audits, independent certification, and effective internal controls.
In the event of a leak of customers’ personal data, a company providing KYC/AML services may be held liable under international standards. According to lawyers, a KYC/AML provider may bear:
civil liability (compensation for damages to its clients and data subjects);
administrative liability (including GDPR fines);
contractual liability (breach of DPA/SLA).
Sumsub’s Infrastructure and Investors
In the world of finance, if you share your data with a company that cannot prove its “identity,” you face risks, the threat of fraud, issues with sanctions, and money laundering.
The core idea of regulatory compliance in the cryptocurrency space is the need for an intermediary between your platform and the chaos of anonymous capital. Sumsub has become that intermediary. It serves 4,000 clients. It has a staff of up to 1,000 employees and offices in London, Berlin, Miami, Singapore, Dubai, and Limassol, Cyprus. In 2024, the company doubled its revenue.
The Sumsub platform built an extensive infrastructure, promising to eliminate fraud and obstacles during verification processes and help companies safely register anything in any location worldwide. Interpol units collaborated with the platform, and UN representatives cited its statistics. Thousands of corporate clients had integrated Sumsub so deeply into their new user registration processes that removing this service would mean having to build a system from scratch.
The problem is that, by definition, no one checks Sumsub’s infrastructure itself until it breaks down.
Western IT market analysts have noted that before the company became Sumsub, it was called SMTDP Tech Ltd, a predecessor registered in Cyprus with three Israeli founders, among whose early investors was the vice president of Telegram.
This refers to Ilya Perekopsky, vice president of Telegram and former vice president and chief operating officer of VK (Eastern Europe’s largest social network). Perekopsky was a co-director of SMTDP in Cyprus and was listed in the registry as a founder.
He supported the project in its early stages in 2017, remained on board during the Series A round in 2020, and did not exit until 2022.
Analysts also found that the Series A funding round was led by MetaQuotes. Originally founded in Russia, the company operates through Cyprus and is best known as the developer of MetaTrader. In 2022, Apple removed MetaTrader from its App Store following reports that scammers had used it to defraud victims.
MetaQuotes bought out the shares of previous investor Flint Capital, which exited the deal at a price 5.5 times higher than the initial one, and took the lead.
In March 2022, when the Russian occupation army invaded Ukraine, Sumsub published a statement, one of whose points emphasized: “…The initial investors who had ties to Russia and retained minor stakes in our company have now left us.” This important detail shows that investors linked to Russia continued to hold shares in the company even on the day this statement was written.
Officially, Sumsub also ceased operations in Russia, relocating its team from Russia and Belarus to offices in Germany, the UK, and Cyprus. However, the company did not draw this line in its cooperation with Russians until 2022—years after passport scanning began.
Who is behind Sumsub
From April 2019 to October 2023, over 75% of the shares in the British operating company Sumsub were owned by the Cypriot company Raritex Trade Ltd. This gave it a majority of votes: the right to appoint and remove directors, as well as full corporate control for four and a half years.
Raritex is still active and owns the SUMSUB trademark in Canada, Australia, and the EU. The company’s director is Andriy Severyukhin, CEO of Sumsub. Information about the company’s shareholders is not disclosed.
On October 2, 2023, Raritex was removed from its position as the controlling entity, which is a completely standard situation when the ownership structure changes. But after that, some unusual things happened. On October 3, 2023, Sumsub filed a statement with the UK Companies House asserting that “it is aware of or has reasonable grounds to believe that there is no natural or legal person exercising significant control.”
Market analysts interpreted this statement simply as: “We don’t know who controls us.” This statement remained in the public registry for seven months.
On May 24, 2024, this statement was withdrawn. On the same day, three founders were listed as persons exercising significant control: Petro Sevier, Yakov Sevier, and Andriy Severyukhin. They are Israeli citizens residing in Cyprus.
The company provided no public explanation regarding the absence or change of this information. Analysts explain that Sumsub’s entire business model is built on the premise that it must answer the question “Who controls this organization?” on behalf of its clients. Clients need to know this before they allow anyone to transfer money. The company’s product is precisely that answer.
For seven months, Sumsub submitted statements to the state regulatory authority claiming it could not answer this question about itself. Then, it quietly changed its response without any press release or public statement.
This situation complicates fundraising efforts for the Series B round. The round took place around the end of 2022. Sumsub presented the investor as a “corporate venture fund” without naming it, publishing any documents, or making any statements.
For a company that processes government ID data for thousands of financial institutions, refusing to name its primary institutional investor after 2022 is more than just a minor issue. It is a signal that a comprehensive review is necessary.
Lawyers’ commentary
When asked how clients of KYC/AML providers can legally protect themselves—whether standard data processing agreements (DPAs) provide sufficient protection or whether additional guarantees and audits should be required—the lawyers noted:
