OpenAI, the US government and Persona built an identity surveillance machine - Exposed Infrastructure Files Reports to the Feds

In February 2026, security researchers exposed a vast surveillance infrastructure operated by Persona, the identity verification service used by OpenAI, Discord, and other major platforms. The investigation revealed that what users believed was simple age verification actually involved 269 distinct surveillance checks, facial recognition against government watchlists, and direct reporting to federal agencies including FinCEN. This curated collection brings together the most authoritative resources documenting this significant privacy disclosure.

Overview

The exposure began when researchers discovered 53MB of unprotected TypeScript source code on a government-authorized server, revealing Persona's extensive surveillance capabilities. The investigation documented infrastructure connecting OpenAI's user verification directly to U.S. federal law enforcement, including systems for filing Suspicious Activity Reports, screening crypto addresses through Chainalysis, and matching user selfies against databases of politically exposed persons. These resources provide comprehensive technical analysis, corporate responses, and privacy implications for millions of users.

Top Recommended Resources

1. the watchers: how openai, the US government, and persona built an identity surveillance machine

• Complete technical documentation of the exposed infrastructure including server configurations, API endpoints, and screening mechanisms
• Evidence of dedicated "openai-watchlistdb" infrastructure operational since November 2023, 18 months before OpenAI disclosed ID requirements
• Detailed analysis of 269 verification checks, government SAR filing systems to FinCEN and FINTRAC, and biometric retention policies
• Emphasis on passive reconnaissance methodology without exploiting vulnerabilities

2. Age verification vendor Persona left frontend exposed, researchers say

• Clear explanation of the 2,456 accessible files found on the government server and what they revealed
• Comprehensive breakdown of surveillance capabilities including facial recognition, politically exposed persons screening, and adverse media monitoring across 14 categories
• Documentation of extensive data collection including IP addresses, device fingerprints, government IDs, and biometric data with 3-year retention
• Context about Discord's decision to discontinue using Persona and broader implications for age verification systems

3. Discord cuts ties with Peter Thiel-backed verification software

• Details about Discord severing ties with Persona immediately after the exposure was revealed
• Context about Persona's backing by Peter Thiel's Founders Fund and the company's position in the identity verification market
• Corporate response from Persona CEO Rick Song addressing the exposed files
• Comparison to previous October 2025 breach involving another verification vendor (5CA) that exposed government IDs for over 70,000 Discord users

4. Is ChatGPT Spying For The Feds? The 53MB Leak Behind OpenAI's ID Checks

• Clear explanation of the dedicated screening infrastructure used to process millions of users monthly
• Documentation of hardcoded intelligence operation codenames like "Project SHADOW" and "Project ONYX" found in the exposed code
• Analysis of data retention discrepancies between publicly stated policies (1 year) and what the code reveals (3 years for biometric data)
• Persona's clarification that while infrastructure exists, they claim no current active contracts with DHS or ICE

5. OpenAI KYC provider accused of sharing users' crypto addresses with federal agencies

• Detailed explanation of Chainalysis integration allowing operators to screen crypto addresses and maintain persistent watchlists
• Documentation of capabilities for filing suspicious activity reports to FinCEN based on cryptocurrency addresses
• Analysis highlighting that this represents "persistent monitoring" rather than one-time lookups
• Multiple security expert confirmations that the research appears legitimate, adding credibility to the technical findings

Summary

These five resources provide comprehensive documentation of the Persona surveillance infrastructure exposure from multiple authoritative perspectives. Start with the vmfunc original research for complete technical details, then consult Malwarebytes for cybersecurity analysis and Fortune for corporate accountability context. If you're interested in cryptocurrency implications, the DL News coverage is essential. Dataconomy bridges technical and general audiences effectively. Together, these resources document one of the most significant identity verification privacy disclosures of 2026, with implications for millions of users of OpenAI, Discord, and other platforms relying on Persona's services.