So Persona just shipped source maps to production and exposed 53MB of TypeScript source code to the internet. Not a typo. Fifty-three megabytes across 2,456 files, all unminified and readable.
If you've used any identity verification service in the past year (crypto exchange, fintech app, whatever), there's a decent chance it was Persona. They're huge. And now we can see exactly how they built a government surveillance system right alongside their commercial product.
A team of security researchers documented the entire discovery, and honestly, the findings are completely nuts. All exposed because someone forgot to set one environment variable.
First thing you notice in the exposed source maps: domain names like openai-watchlistdb.withpersona.com, withpersona-gov.com, and onyx.withpersona-gov.com.
That -gov suffix is doing a lot of work. Not exactly subtle about what this is.
Quick TypeScript 101: source maps are basically cheat sheets that map your ugly minified production code back to the original readable source. Super helpful for debugging. Absolutely catastrophic if you ship them publicly because now everyone can read your code, see your API endpoints, understand your algorithms, everything.
GENERATE_SOURCEMAP=falsePersona didn't set this, which means we now know everything about how their infrastructure works. Whoops.
Okay so SARs. Suspicious Activity Reports. Banks and financial institutions are supposed to file these when they spot sketchy stuff (money laundering, fraud, etc.). In the US it goes to FinCEN (Financial Crimes Enforcement Network). In Canada, FINTRAC (Financial Transactions and Reports Analysis Center).
Normally this is manual. A compliance officer sees something suspicious, reviews it, writes up a report, submits it. Human judgment. Oversight. The idea being that an actual person decides whether something's really worth flagging.
Persona looked at that whole process and went "what if we just... didn't?"
The exposed source code shows they've built a system that performs 269 distinct verification checks on every single person. (Yes, 269.) When certain combos of these checks fail, it auto-generates and files SARs with FinCEN and FINTRAC. Zero human review.
The regulations are strict too. 30 days to file the initial SAR once you detect suspicious activity. If it keeps happening, continuing activity reports every 90-120 days. Persona's system handles all of this automatically, no questions asked.
So every time someone tries to verify their identity through any service using Persona, they're run through 269 checks. Trip enough of them and boom, you're auto-flagged to government intelligence agencies. No notification, no appeal, no idea it even happened.
Gets better. The source code shows dropdown options for specific FINTRAC projects when filing reports. Like, actual real operations with code names:
So when Persona's system auto-files a SAR, someone picks from this dropdown which operation it goes to. Trafficking? Drugs? Child exploitation? Just depends what they click. And you? You'll never know. Never find out which category you got tagged under, never see what threshold you supposedly triggered. You just exist in some database somewhere now.
October 2025, Persona got FedRAMP authorized. For us who don't live and breathe compliance speak, FedRAMP is basically the government's stamp of approval that says "yes, we trust this cloud service enough to give them federal contracts.", which means they can now contract directly with federal agencies.
Oh, and they're partnered with OpenAI for watchlist screening too. That openai-watchlistdb.withpersona.com domain suddenly makes a lot more sense.
The business model is honestly kind of genius (in a dystopian way). Build a commercial KYC platform that every fintech startup needs. Use that revenue to build parallel government surveillance infrastructure. Get FedRAMP certified. Win government contracts. User data flows from the commercial side straight into the government side. Everyone wins. Well, except the users, but they don't know about it anyway.
There's also PEP screening built in. PEP = Politically Exposed Person. Think government officials, diplomats, their families - anyone who might be wrapped up in corruption or money laundering.
They're using fuzzy matching with similarity scoring. Which sounds fine in theory, but like... how fuzzy are we talking? What's the threshold where "John Smith" becomes suspicious because there's a "Jon Smythe" on some watchlist? The code doesn't say. Naturally.
Once you're flagged as a PEP match, you're under 24/7 continuous monitoring with immediate alerts on any activity. Forever, apparently.
Your name happens to be vaguely similar to some diplomat's cousin halfway across the world? Congrats, you're flagged. SAR gets filed. Maybe tagged for one of those intelligence operations we talked about earlier. You'll never know why or even that it happened. Just something to think about next time you wonder why your bank transfer got held up.
One more thing that caught my eye: Ukraine shows up in the restricted country lists right next to actual sanctioned countries. Except Ukraine isn't sanctioned. Russia is. So what's that about?
The code doesn't explain it. Maybe someone made a mistake or there's some compliance reason that just never got documented. Who knows. But it makes you wonder - if this list is wrong, what else is? Who's actually checking any of this?
Let's zoom out for a second. When you verify your identity through a service using Persona, here's what actually happens:
269 automated checks run on your ID, selfie, and personal info. You trip some unknown threshold and a SAR gets filed automatically with FinCEN or FINTRAC. You're added to monitoring systems. No human looks at it. No one tells you it happened. You go about your day completely unaware.
Most KYC platforms keep this stuff separate, you know? Commercial verification over here, government reporting over there. A firewall between "verify this person for a crypto exchange" and "file reports with law enforcement." Makes sense; keep the surveillance infrastructure away from the customer-facing product.
Persona didn't do that. They built it as one unified system. And thanks to the source maps, we can see exactly how.
Kind of wild.