In a massive disclosure titled “The Watchers,” a group of independent security researchers has revealed a sophisticated identity surveillance apparatus linking OpenAI, identity-verification firm Persona, and the U.S. Government.
The investigation, published February 16, 2026, alleges that under the guise of “Trust and Safety,” these entities have built an automated system that screens millions of users and files Suspicious Activity Reports (SARs) directly with federal agencies.
The “Naked” Code: A 53MB Security Fumble
The core of the discovery stems from a catastrophic configuration error on a FedRAMP-authorized government endpoint (app.onyx.withpersona-gov.com). Researchers vmfunc, MDL, and Dziurwa discovered that the server was publicly hosting 53 megabytes of unminified TypeScript source maps.
These files essentially acted as a blueprint, allowing the researchers to reconstruct the entire frontend codebase of Persona’s government-facing dashboard.
“The source maps don’t just contain variable names; they contain the entire original source,” the report states. “A FedRAMP-authorized government platform serving unminified source maps… the auditors either didn’t check static assets or didn’t know what a source map was.”
OpenAI’s “WatchlistDB”
While OpenAI has publicly required ID verification for its advanced models since mid-2025, Certificate Transparency (CT) logs tell a different story. The researchers identified a dedicated Google Cloud instance—openai-watchlistdb.withpersona.com—that has been operational since November 2023.
Timeline of Infrastructure Evolution
| Date | Event | Significance |
| Nov 2023 | Service goes live | Infrastructure operational 18 months before public disclosure. |
| Sep 2024 | OpenAI customer page | Formalization of the partnership. |
| Feb 2026 | “Onyx” Subdomain | Appearance of a dedicated federal surveillance-linked instance. |
The researchers argue that this dedicated infrastructure suggests “compartmentalization” typically reserved for high-stakes federal data, far exceeding standard “Age Verification” needs.
From Chatbot to FinCEN Informant
The leaked source code reveals that Persona’s platform is not just verifying IDs; it is a full-service financial intelligence terminal. The dashboard includes a “Send to FinCEN” button, allowing operators to file reports directly to the U.S. Treasury’s Financial Crimes Enforcement Network.
Key Capabilities Revealed:
- Biometric Databases: The system maintains “Face Lists” with a 3-year retention policy, allowing for recurring screening of users.
- Intelligence Tagging: Canadian reports (STRs) can be tagged with codenames from active intelligence programs like Project ANTON, Project LEGION, and Project SHADOW.
- Suspicious Entity Detection: Algorithms like
SelfieSuspiciousEntityDetectionassign “risk scores” to users based on facial similarity to watchlists and “politically exposed person” (PEP) status. - AI Copilot: An “AskAI” feature, powered by OpenAI’s API, assists government operators in reviewing these dossiers and suspicious activity reports in real-time.
The “Onyx” Connection
The appearance of the subdomain onyx.withpersona-gov.com on February 4, 2026, has raised eyebrows due to its name-match with Fivecast ONYX, an AI surveillance tool used by ICE and CBP.
While the researchers clarify that the leaked code does not explicitly mention ICE or Fivecast, they note the infrastructure correlation is “real” and suggests a high-level integration of identity verification with federal enforcement.
Response and “Dead Drops”
Persona CEO Rick Song has reportedly entered into written correspondence with the researchers, promising to address 18 specific questions regarding the platform’s operations.
The researchers, meanwhile, have issued a “Dead Man’s Switch” warning, stating that their findings have been distributed across multiple jurisdictions and third-party archives. They maintain that all information was gathered through passive reconnaissance and public sources, citing Van Buren v. United States as legal protection for their research.
“They told us the future would be convenient,” the report concludes. “The source code said SelfieSuspiciousEntityDetection.”
Source: vmfunc
