Who Vets the Vetters?
Sumsub has processed your passport scan. Your face. Your government ID.
It's done the same for users across 4,000+ clients, each one trusting Sumsub to answer the question they couldn't answer themselves.
Gartner handed it Magic Quadrant Leader for identity verification status. January 2026, Sumsub joined the World Economic Forum's Unicorn Community.
The credentials were impeccable. The scrutiny was nonexistent.
Nobody called it what it actually was: A company whose own controlling ownership disappeared from the public record - filed October 3, 2023, retracted May 24, 2024 - and whose systems were home to an uninvited guest for a year and a half before anyone noticed.
In February 2026, Sumsub disclosed a breach that began in July 2024. Eighteen months. Undetected.
The business model is simple: You can't trust strangers, so let Sumsub verify them.
The founding irony is simpler: Nobody verified Sumsub.
When the company selling identity certainty can't account for its own, whose identity have you actually been confirming?
(Story was tipped to Rekt News via Dyma Budorin, CEO of Core3 and Co-Founder & Chairman of Hacken.)
KYC exists because trust is a liability.
Hand it to someone who can't prove who they are and you inherit their risk, their fraud, their sanctions exposure, their laundered funds.
The whole premise of crypto compliance is that you need a gatekeeper between your platform and the chaos of anonymous capital.
Sumsub became that gatekeeper.
Over four thousand clients. Nine hundred and eighty-seven employees. Offices in London, Berlin, Miami, Singapore, Dubai, Limassol.
Revenue more than doubled in 2024.
Sumsub's pitch was straightforward: Eliminate fraud and verification hurdles so businesses can onboard anyone, anywhere, safely. Hand over the passport scan, the selfie, the proof of address, and Sumsub handles the trust problem your compliance team couldn't solve alone.
INTERPOL partnered with them. The UN referenced their research. Thousands of compliance teams embedded Sumsub so deep into their onboarding flows that removing it would mean rebuilding from scratch.
That's not a vendor. That's infrastructure.
And infrastructure, by definition, is what nobody audits, until it fails.
The record was always there. Nobody thought to look.
So who exactly was verifying the verifier?
The Origin
Before Sumsub was Sumsub, it was SMTDP Tech Ltd, a Cyprus-registered predecessor entity with three Israeli-national founders whose early backers included the VP of Telegram.
Ilya Perekopsky, VP of Telegram, and former VP and COO of VK, Eastern Europe's largest social network, wasn't a passive check-writer.
He was co-director of SMTDP in Cyprus, listed on the registry alongside the founders at the founding layer.
He backed the Seed round in 2017, remained in at Series A in 2020, and didn't exit until 2022.
The Series A was led by MetaQuotes, originally developed in Russia, operating through Cyprus, and best known as the developer of MetaTrader.
In 2022, Apple removed MetaTrader from its App Store following reports that scammers were using it to defraud victims.
MetaQuotes bought out the shares of prior investor Flint Capital, which exited at 5.5x, and took the lead position.
March 2022, Russia invaded Ukraine. Sumsub published a statement, and buried inside it was a confirmation that matters: "The few early investors with Russian exposure who retained minor shares in our company have now all left us."
Read that carefully. Russian-exposed investors were still holding shares as late as the day that statement was written.
Sumsub ceased Russian operations, relocated its team from Russia and Belarus to their offices in Germany, UK and Cyprus, and drew a line.
None of that is in dispute. But the line was drawn in 2022, years after the passport scans started flowing.
What did the previous seven years look like?
The Gap
From April 2019 to October 2023, a Cyprus entity called Raritex Trade Ltd held 75% or more of the shares in Sumsub's UK operating company.
Majority voting rights. The right to appoint and remove directors. Full corporate control for four and a half years.
Raritex is still active. It still holds the SUMSUB trademark in Canada, Australia, and the EU.
The director is Andrey Severyukhin, Sumsub's CEO. Its shareholders are not publicly disclosed.
On October 2, 2023, Raritex was removed as the controlling entity. Standard enough, ownership structures change.
What happened next is not standard.
Sumsub filed a statement with UK Companies House on October 3, 2023 declaring that the company "knows or has reasonable cause to believe that there is no registrable person or registrable relevant legal entity" with significant control.
Translation: We don't know who controls us.
That statement sat on the public register for seven months.
May 24, 2024, the filing was withdrawn.
Three founders appeared as Persons with Significant Control on that same day: Peter Sever, Yakov Sever, Andrey Severyukhin. Israeli nationals. Residing in Cyprus.
No public explanation for the gap has ever been given.
Sit with the specific absurdity of that for a moment. Sumsub's entire commercial existence is built on one capability: Answering the question "who controls this entity?" on behalf of clients who need to know before they let someone move money. Its product is that answer.
For seven months, Sumsub filed with a government regulator that it could not answer that question about itself.
Then quietly changed the answer.
No press release. No public statement. No explanation on the public record of what changed between October and May, or who held effective control during the window, or why the original filing said what it said.
The Series B compounds the picture. Raised around the end of 2022. Sumsub describes the backer only as "a corporate VC fund", no name, no public filing, no announcement.
For a company processing government ID data for thousands of financial institutions, the refusal to name its primary post-2022 institutional backer is not a footnote. It's a diligence flag.
A KYC company couldn't identify its own controlling person for seven months,and its biggest investor remains unnamed. What exactly would trigger a compliance review, if not that?
The Breach
July 2024, an external threat actor submitted a malicious attachment through a third-party support ticketing platform.
Access gained. Internal environment compromised. Names, email addresses, phone numbers - exposed for a subset of customer accounts.
Nobody noticed for eighteen months.
Not a misconfigured server caught by a routine scan. Not a tip from an external researcher. Not a regulator knocking. Sumsub's own security audit in January 2026 found the intruder,retrospectively, quietly, a year and a half after the door had been opened.
February 4, 2026: Public disclosure. The company that processes biometric data and government IDs for the compliance layer of global finance had been hosting an uninvited guest since the summer of 2024.
Sumsub's official position: No biometrics accessed, no ID document images, no government ID data touched.
The breach was contained to a support-related environment. Names, emails, phone numbers only.
Confirmed affected: Ndax, a Canadian crypto exchange.
While the breach disclosure was still fresh, Sumsub published a blog post calling out fraud incidents at other companies.
ZachXBT called it exactly what it was: Tone deaf.
A firm that just admitted an 18-month undetected intrusion had no business running a public scorecard on everyone else's security failures.
Sumsub's public response to Zach, opened with: "In our 10-year history, this is the first incident of its kind."
March 2025: Security researcher Lilith Wittmann reported that an unsecured API at Merkur AG had exposed Sumsub API tokens, enabling unauthorized access to user data.
Sumsub attributed the failure entirely to the third-party integrator, their misconfiguration, not Sumsub's.
Two incidents. Both explained away.
The architecture critique cuts deeper than the incidents themselves. Centralized KYC infrastructure is a concentration risk by design.
Every exchange, every fintech, every analytics firm that outsources identity verification to a single vendor creates a single point of failure, one breach away from exposing the verified identities of users across the entire client list simultaneously.
The Zyphe analysis put it plainly: “If your KYC vendor is compromised and doesn't know it, you don't know it either, but you're still responsible for the data you've entrusted to them and for the regulatory obligations tied to that data.”
A company verifying identities for the world's largest crypto exchanges couldn't detect a stranger inside its own systems for a year and a half.
If the lock on the gate was broken for eighteen months before anyone checked, how confident should anyone be in what the gate was actually protecting?
The Unanswered Questions
Here's what remains unresolved, not speculation, not inference. Just open questions with no public answers.
Who are the shareholders of Raritex Trade Ltd?
The entity that controlled Sumsub's UK operating company for four and a half years still holds the SUMSUB trademark across multiple jurisdictions.
The beneficial ownership chain behind the entity that controlled Sumsub remains hidden from public view.
Who funded the Series B?
Sumsub raised a growth round in December 2022, after the Russian invasion, after the Ukraine statement, after the investor exits.
The company describes the backer only as "a corporate VC fund". No name. No filing. No announcement.
For a company processing passport scans for Bybit, Vodafone, and Duolingo, the refusal to name its primary post-2022 institutional backer isn't a PR oversight, it's a diligence gap wearing a suit.
What happened during the seven-month gap?
Between October 2, 2023 and May 24, 2024, Sumsub's own UK filing stated it had no identifiable controlling person. Then it retracted that. No explanation. No statement. No acknowledgment that the gap existed at all.
How many people were affected by the breach?
Sumsub became aware in January 2026. The number of affected individuals and the status of those regulatory notifications remain undisclosed.
None of these are edge cases. Every single one sits at the center of what a compliance team is supposed to ask before embedding a vendor into its identity verification stack.
The clients who used Sumsub to scrutinize millions of users never applied Sumsub's own methodology to Sumsub.
If Sumsub's own onboarding tool processed Sumsub as a client, would it pass?
Sumsub's public record answers some questions and ignores others. The ones it ignores are the ones that matter most.
That silence sits on top of everything else, the opaque Cyprus holding structure, the unnamed growth investor, the seven months of officially unidentifiable ownership, the eighteen months of undetected access to systems holding data for thousands of compliance teams worldwide.
Individually, each thread has an explanation.
Together, they form a pattern that Sumsub's own compliance product would flag without hesitation if it showed up in a client's onboarding file.
Every exchange that embedded Sumsub did so because they couldn't afford to trust strangers. None of them applied that same standard to the tool doing the trusting.
That's not a Sumsub problem. It's a supply chain problem, one that runs beneath the entire compliance layer of crypto, invisible because everyone agreed, without checking, to call it infrastructure.
The passport scans are still flowing. The biometric checks are still running. The gate is still open for business.
Nobody thought to check who owned the gate.
When the infrastructure built to vet everyone else has never been vetted itself, who's been doing the trusting, and on whose behalf?
REKT sirve como plataforma pública para autores anónimos, nos deslindamos de la responsabilidad por las opiniones y contenidos alojados en REKT.
dona (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
aviso legal:
REKT no es responsable ni culpable de ninguna manera por cualquier Contenido publicado en nuestro Sitio Web o en conexión con nuestros Servicios, sin importar si fueron publicados o causados por Autores ANÓN de nuestro Sitio Web, o por REKT. Aunque determinamos reglas para la conducta y publicaciones de los Autores ANÓN, no controlamos y no somos responsables por cualquier contenido ofensivo, inapropiado, obsceno, ilegal o de cualquier forma objetable, que se pudiera encontrar en nuestro Sitio Web o Servicios. REKT no es responsable por la conducta, en línea o fuera de línea, de cualquier usuario de nuestro Sitio Web o Servicios.