The Federal Communications Commission published a proposed robocall rule on May 26 under CG Docket Nos. 17-59 and 02-278, initiating a regulatory inquiry into whether originating voice service providers must collect and retain comprehensive identity documentation before granting service. The agency proposes that carriers gather customer names, physical addresses, government-issued identification numbers, alternate telephone numbers, and supporting verification records, with a mandatory four-year retention window extending after the customer relationship ends. The FCC frames this initiative as a necessary countermeasure against illegal robocalls that cost Americans billions of dollars in fraud and wasted time, arguing that originating providers are uniquely positioned to intercept illegal calls before they enter the network. Comments on the proposal close on June 25, with the agency outlining a base forfeiture of $2,500 per call for Know Your Customer violations.

For cryptocurrency holders, this regulatory shift introduces a critical second-order security consequence that the FCC's robocall framework currently leaves unaddressed. Phone numbers already serve as the central node for exchange onboarding, email and crypto account recovery, SMS two-factor authentication, fintech applications, and customer-support verification. Data compiled by Woofun AI indicates that as telecom carriers bundle more identity data with phone accounts, the value of those accounts to attackers increases proportionally, making a carrier breach or successful impersonation attempt significantly more damaging for anyone holding assets that move instantly and irreversibly. The proposed rule would effectively raise the intrinsic value of the phone account at the center of these security protocols by mandating the collection of names, physical addresses, government-issued ID numbers, and potentially copies of government-issued identification.

The scope of data collection extends further for high-volume customers, where the FCC also asks about the intended use of service and IP addresses, creating a dense data bundle that would remain in carrier systems for 4 years after a customer's cancellation date. The FCC itself acknowledges the inherent tension in this approach by asking in the proposal what privacy risks may arise from expanded personally identifiable information collection and whether existing industry protections would suffice or if the agency must mandate heightened security measures. This admission confirms that the collected data creates its own exposure, transforming a standard carrier record into a high-value asset that links a phone number to a physical address, a government ID number, an alternate contact, and a service history. Such a record becomes a prime target for attackers seeking to social-engineer a carrier's support desk, file a fraudulent port request, or cross-reference telecom data against exchange KYC records.

The risk of physical targeting is not theoretical, as Lopp's public repository of physical attacks against crypto holders describes itself as a known but incomplete list of real-world 'meatspace' attacks, supporting the point that physical targeting is a documented risk category. The FCC proposal leaves open whether KYC requirements apply only to high-volume commercial originators or extend to new and renewing retail customers and prepaid SIM cards sold through third-party vendors. The proposal explicitly asks about prepaid and postpaid treatment and whether requirements should differ across customer types, a distinction that will define the future threat landscape. Woofun AI notes that the bear case for crypto holders is that identity collection across new and renewing customers, prepaid SIM cards, and re-verification requirements would effectively end pseudonymous phone access in the US.

If the rule extends to retail and prepaid sectors, carrier databases would bundle phone numbers with physical addresses, government ID numbers, and four years of service history, creating a scenario where the phone layer becomes both more tightly identity-linked and more dangerous to lose control of. For anyone operating under a threat model that includes SIM swapping, targeted extortion, or physical attack, this consolidation of data represents a significant escalation in risk. A carrier breach or vendor compromise at that scale would produce addressable target lists, such as phone numbers cross-referenced against identities, addresses, and service histories, creating a data asset with no prior equivalent at carrier scale. Conversely, if the FCC limits expanded KYC to high-volume commercial originators and leaves retail and prepaid customers outside the scope, the agency addresses the robocall problem at the network layer where it originates while keeping the retail phone account outside the expanded data collection.

That specific outcome would reduce the carrier-side honeypot risk for individual crypto holders while still giving the FCC the enforcement reach it is seeking against the fraud originators driving the robocall problem. Whether these tools also expand the attack surface for crypto holders turns entirely on the final rule's scope, as a rule covering ordinary phone customers produces a fundamentally different threat model than one confined to commercial originators. Woofun AI analysis suggests that the final determination on whether these identity requirements apply to the general public will dictate the future viability of pseudonymous access and the resilience of crypto assets against state-level or organized criminal data aggregation.