Key Highlights
- A report says Sumsub once filed that it could not identify who controlled the company, before later updating its ownership records to list its founders.
- A cyber incident reportedly went undetected for about 18 months, exposing limited user data.
- The report also raised questions about an unnamed investor from a 2022 funding round.
Sumsub, a firm that helps businesses, particularly in the crypto sector, verify user identities, is facing scrutiny over its transparency and its security practices after a report reviewed the company’s filings and disclosed a data breach that was not reported.
Sumsub ownership records under question
This report, shared by Rekt News, questioned how the company’s ownership was recorded. It states that from April 2019 to October 2023, a Cyprus-based entity, Raritex Trade Ltd, held majority control of the company’s UK unit.
On October 3, 2023, Sumsub filed a statement saying it could not identify any person or legal entity with significant control over the company. This means the company officially reported that it did not know who controlled it at that time.
That filing remained in place for about seven months before it was withdrawn on May 24, 2024, when three founders, Peter Sever, Yakov Sever, and Andrey Severyukhin, were listed as persons with significant control. However, no public explanation for this change was provided in the report.
The report also mentions a funding round around late 2022, where Sumsub described its main investor only as a “corporate VC fund” without naming it. Rekt News said that this lack of disclosure is concerning because the company handles sensitive identity data for many financial institutions.
Security breach from February 2026
Another key issue is a cybersecurity breach disclosed by Sumsub in February 2026. The company said the incident began in July 2024, when an attacker gained access through a support system using a malicious file. The breach lasted about 18 months before being detected during an internal audit in January 2026.
According to Sumsub, the exposed data included names, email addresses, and phone numbers for some users, but did not include biometric data, passport images, or government ID documents. The crypto exchange Ndax was listed among affected clients.
The report also refers to a 2025 case where a security researcher found that API access keys linked to Sumsub were exposed through a third-party system.
Sumsub hit back at the claims
In response on X, Sumsub said that it was misleading and that the writers did not contact the company before publishing it.
The company said it follows all legal disclosure requirements in the countries where it operates and shares information with regulators, auditors, and clients when necessary. It also said that concerns about transparency have been raised before and addressed.
Sumsub said it operates as a private company and complies with required disclosure rules. It added that relevant information is shared with authorities and business partners when needed.
Regarding the breach, Samsung confirmed it but said it was limited to a support-related system and did not affect sensitive identity documents such as passports or biometric data. The company described it as an isolated incident in its history.
Broader context
Sumsub provides Know Your Customer (KYC) services, which help businesses, including Crypto firms, to confirm user identities using documents like passports, selfies, and proof of address.
The company says it serves more than 4,000 clients globally and operates across multiple regions. These services are commonly used by financial and crypto platforms to prevent fraud and ensure users are real.
In short, instead of building these systems themselves, many businesses rely on providers like Sumsub. So, because these providers handle large amounts of personal data, they play a central role in compliance and security processes across financial systems.
Also Read: So Called DeFi Platform WLFI Plans Token Controls After Clash with Justin Sun
