An exchange holds the passport scan, the proof of address, the source-of-funds documentation that the principal submitted to open the account. The exchange's own breach (which has happened, repeatedly, across the industry over recent years) exposes all of it. The records do not go back into the box once they are out.
The combination is more dangerous than either part alone. Identity documents in the hands of an attacker are useful for impersonation. Identity documents combined with the knowledge that the person holds cryptocurrency are useful for the more targeted attacks that follow: the SIM swap aimed at the exchange's two-factor, the phishing message that references real account details, the threat made against the person whose wealth is now estimated.
The work to address this is partly retrospective (what exchanges has the principal used, what documents did each receive, which have been breached) and partly forward-looking (which exchanges receive what going forward, what hardware controls custody, what insurance and what jurisdiction sit behind any holdings of consequence).
The record speaks plainly enough. The question is whether anyone is listening to it.
More from the desk
The corporate credit card and the receipt leak
The divorce filing and what it exposes
The banker who leaves, and what they carry
The private banking relationship and the news cycle
The third-party vendor as the route in
The private school and the family record