Security Researchers Find Exposed Source Code on Persona's Government Verification Platform

A group of security researchers has published a detailed analysis of Persona, the $2 billion identity verification company used by OpenAI, claiming they extracted 53MB of unprotected TypeScript source code from the company's government-facing infrastructure. The findings, if confirmed, raise pointed questions about both the security posture of a FedRAMP-authorized platform and the scope of data collected during routine AI identity checks.

The blog post, published February 16 by researchers going by vmfunc, MDL, and Dziurwa, describes what they found using only passive reconnaissance - Shodan scans, certificate transparency logs, DNS resolution, and publicly accessible JavaScript source maps left exposed on production servers.

What They Found

The researchers claim a /vite-dev/ path on Persona's government-facing domain served unminified source maps - development artifacts that reconstruct the original TypeScript source code from production JavaScript bundles. Leaving these exposed is a known and well-documented vulnerability class, but finding it on a FedRAMP-authorized endpoint is a different matter entirely.

According to the blog post, the exposed code revealed:

269 distinct verification checks performed per user, including facial recognition, document verification, sanctions screening, and behavioral analysis
Direct SAR (Suspicious Activity Report) filing to FinCEN (US) and STR filing to FINTRAC (Canada), with hardcoded references to real Canadian intelligence program codenames
Biometric databases with retention policies of up to 3 years
"SelfieSuspiciousEntityDetection" - a check that flags users based on facial characteristics
Public figure facial matching - comparing user selfies against a database of political figures
13 types of tracking lists covering names, IP addresses, faces, and more

The researchers also identified third-party integrations including FingerprintJS (browser fingerprinting), Microblink (document scanning), and Chainalysis (cryptocurrency address screening).

What Is Persona and Who Uses It

Persona is not a fringe startup. Founded by former Square and Dropbox engineers, the San Francisco-based company raised a $200 million Series D at a $2 billion valuation in April 2025, backed by Founders Fund and Ribbit Capital. Its clients include Square, Robinhood, Discord, Roblox, and OpenAI.

OpenAI uses Persona to verify API users through its "Verified Organization" program, which became mandatory for accessing frontier models like GPT-5. Persona's own case study confirms OpenAI uses the platform to screen "millions monthly" against international sanctions watchlists.

The researchers flagged a subdomain - openai-watchlistdb.withpersona.com - that they claim was operational since November 2023, roughly 18 months before OpenAI publicly announced its identity verification requirement in April 2025. This timeline is plausible (sanctions screening and ID verification are different functions), but the exact creation date could not be independently verified.

Persona achieved FedRAMP Authorized status at the Low Impact level in October 2025, making it eligible to serve federal agencies. The researchers note the irony: a platform that passed a federal security audit had development source maps exposed on its government endpoint.

The FINTRAC Codenames Are Real (but Not Secret)

One of the blog post's more dramatic findings is the presence of Canadian intelligence program codenames in the source code: Project ANTON, ATHENA, CHAMELEON, GUARDIAN, LEGION, PROTECT, and SHADOW.

These are real FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) programs, but they are not classified or secret. Project ANTON targets money laundering tied to illegal wildlife trade. Project GUARDIAN tackles illicit fentanyl financing. Project PROTECT focuses on human trafficking. They are public-private partnerships with published indicators.

Any company that files Suspicious Transaction Reports to FINTRAC needs to categorize them by program. The presence of these names in Persona's code is consistent with standard AML compliance infrastructure, not covert surveillance - though the blog's framing implies otherwise.

The ONYX Speculation

The weakest claim in the report concerns a subdomain called onyx.withpersona-gov.com, which the researchers say appeared in certificate transparency logs on February 4, 2026. They note the naming similarity to Fivecast ONYX, a social media surveillance tool that ICE purchased through a $4.2 million contract.

The blog post acknowledges this is speculative. The code "contains no direct ICE references" and no Fivecast integration was found. "ONYX" is a generic name. The researchers frame the coincidence as a question rather than a conclusion, and to their credit, explicitly list what the code does NOT contain: no Palantir integration, no Clearview AI connection, no bidirectional OpenAI data pipelines, no law enforcement workflows.

Community Reaction: Skeptical but Attentive

The blog post gained traction on Hacker News (85+ points), X, and Reddit, but the reception was notably mixed. Many commenters pointed out that what the researchers describe - sanctions screening, SAR filing, biometric storage, watchlist matching - is standard KYC/AML compliance infrastructure that any identity verification platform would have. The alarming presentation, including the blog's autoplay music and low-contrast design, also drew criticism for undermining the credibility of legitimate findings.

The stronger takeaway, as several HN commenters noted, is not that Persona does these things but that users undergoing "simple" ID verification for OpenAI API access may not realize the scope of what happens behind the scenes. The blog claims 269 checks per verification - a number users are never told about.

Persona's CEO Is Responding

Persona CEO Rick Song has engaged directly with the researchers, according to vmfunc's posts on X. The researchers submitted 18 written questions covering biometric retention periods, BIPA compliance, the scope of government agency access, and what "SelfieSuspiciousEntityDetection" actually does. Song has committed to answering them, with the full correspondence to be published as Part 2.

This is unusual and worth watching. Most companies respond to this kind of research with legal threats, not engagement.

What This Actually Means

Strip away the dramatic framing and two concrete facts remain. First, if the source map exposure is confirmed, a FedRAMP-authorized identity verification platform serving federal agencies had its entire frontend source code accessible to anyone with a browser - a serious security failure. Second, the scope of verification checks (269 per user, biometric matching, political figure comparison, cryptocurrency screening) is significantly broader than what most users would expect when they upload a selfie and an ID to access an AI API.

Persona already faces BIPA litigation over alleged biometric data collection without proper consent in Illinois. The exposed source code, if it reveals retention practices that conflict with disclosed policies, could add fuel to that fire.

Part 2, with Persona's responses, will tell us more. Until then, the report is a reminder that "identity verification" in the AI era involves far more than checking that a face matches a photo.

Sources: