- The EU’s age verification app was bypassed within minutes of its launch by security consultant Paul Moore.
- Telegram CEO Pavel Durov called the system “hackable by design” and warned it could become a surveillance tool.
- EU officials acknowledged the vulnerabilities and released an updated version of the app.
The European Union’s new age verification app—touted by Commission President Ursula von der Leyen as “completely anonymous” and “technically ready”—got hacked within minutes of going live. Security consultant Paul Moore demonstrated that both PIN and biometric checks could be bypassed, exposing what he called glaring privacy and security flaws in a system designed to protect minors online.
The app was first introduced in July 2025 as part of the EU’s broader digital identity framework. It’s meant to verify whether users are over 18 without exposing personal data—replacing the pop-up age confirmation banners that currently rely on users clicking “I am 18” and hoping for the best. The code was published on GitHub, though it’s not yet available for public download.
Pavel Durov, the CEO of Telegram, weighed in on X with a characteristically blunt assessment. “The ‘age verification app’ the EU wants to impose on the world got hacked in 2 minutes,” wrote Durov. He outlined what he called a three-step playbook: present a “privacy-respecting” but hackable solution, get hacked, then remove privacy to “fix” it. “Result: a surveillance tool sold as ‘privacy-respecting.'”
Why the EU Age Verification Hack Matters
The vulnerabilities Moore identified aren’t theoretical edge cases. He showed that the app’s authentication layer—the part that’s supposed to prevent minors from simply lying about their age—could be circumvented in under two minutes. The system relies on linking user authentication to identity data, but the handoff between those two layers is where the cracks appear.
EU officials acknowledged the system isn’t fully secure. Commission spokesman Thomas Regnier confirmed that “a new version” of the app is being pushed out to address the issues. He also defended the open-source approach, saying transparency was intentional—to let developers test and improve the system. That framing is generous. Releasing code that demonstrably fails its core security requirement isn’t a feature. It’s a liability.
The broader context is what makes this story land. Age verification is becoming a regulatory arms race. The EU wants to enforce it across member states. The UK’s Online Safety Act already mandates it. Australia banned social media for under-16s. And every jurisdiction is running into the same wall: you can’t verify age at scale without either collecting invasive personal data or building systems that are trivially bypassed.
The Surveillance Question Nobody Wants to Answer
Durov’s warning isn’t just about one app. It’s about the trajectory. The EU’s age verification tool is designed to be anonymous today—but the infrastructure it creates could easily be repurposed for broader identity tracking across online platforms. Once you build a system that knows who’s browsing what, the temptation to expand it doesn’t disappear.
The irony is thick. The same week the EU’s app was cracked open, Anthropic faced backlash for requiring passport verification to use Claude. Meanwhile, Roblox just agreed to implement platform-wide age verification after a $12.5 million settlement. The tech industry is racing toward mandatory identity checks—and none of the implementations so far have inspired confidence.
The EU’s app code remains on GitHub, awaiting security patches. Von der Leyen hasn’t publicly addressed the hack. And the fundamental question—whether anonymous age verification is even possible at scale—remains unanswered.
