EU Age Verification App Hacked In Under Two Minutes...And It Gets WORSE!
by James Corbett
corbettreport.com
April 26, 2026
Here’s a question: how long does it take a security consultant to hack the EU’s new “technically ready” age verification app?
And here’s the answer: under two minutes.
Undoubtedly, the story of the EU’s spiffy new age verification app and the glaring technical errors that immediately made a mockery of its claims to “technical readiness” is remarkable enough.
But this isn’t just an amusing story of the EU’s technocratic incompetence. It’s actually a case study in cyber false flags. And that story tells us something important about the coming digital dystopia.
Do you want to know the details? Then read on!
The “Amusing Story” of the EU’s Remarkable App Failure
As anyone who has been following the news will know, governments around the world are scrambling to impose age verification requirements on social media sites in the name of “protecting children” from “online harms.” Last year’s rollout of Australia’s social media ban—a new law “restricting all users under 16 from holding accounts on major platforms including TikTok, Snapchat, YouTube, Reddit, Instagram, Facebook, Kick, Twitch, Threads and X”—was the first and best-known example of this trend. Since then, Brazil, Canada, Turkey, Norway, Japan, Greece, various US states and a growing list of other governments have begun forwarding or passing similar legislation.
In order to help implement the “solution” to this “problem” of verifying the age of social media users, governments are also looking to get into the age verification app market. The EU, for example, began promising a “blueprint for age verification online” in July 2025, when European Commission Executive Vice-President Henna Virkkunen revealed that the Commission was “developing a common approach” to “an EU-harmonized age verification method” with member states.
That “solution” finally arrived last month in the form of the EU Age Verification Wallet, a new app launched with much fanfare by European Commission President Ursula von der Leyen at a press conference on April 15.
The only problem? Despite von der Leyen’s assurance that the app is “technically ready and soon available for citizens to use,” it took security researcher Paul Moore a mere two minutes to hack it.
In fact, as he went on to elaborate, the security architecture of this app is so flawed that it almost defies credulity. According to Moore, the app:
stores the source image used to collect verification data to disk without encryption and does not delete that data correctly;
uses “an incrementing number in the same config file” for rate limiting, meaning attackers can simply set the number back to “0” and keep trying;
does not tie the user-registered PIN to the vault which contains the identity data, meaning “an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app”; and
limits the number of age verifications available to a user while at the same time setting an “expiry date” for their proof of age.
For those not versed in techno-jargon, these are very bad things that make the app incredibly vulnerable to attack and that expose users’ private information, including passport scans and biometric images.
Unsurprisingly, the tech journos at Wired and TechPolicy.press and the mainstream repeaters at Politico and The Independent have tended to cover the scandal as a “whoopsie-daisy” story demonstrating the incompetence of otherwise well-meaning technocrats. In its article on the subject, for example, Politico writes: “The saga is turning into a PR disaster for Brussels.”
Oh, no! Won’t someone think of the European Commission’s PR department!?
In an apparent effort to turn this “PR disaster” around, last week the EUreaucrats released a “bugfix“ designed to address the app’s glaring security flaws.
...But, as Paul Moore immediately pointed out, this “fix” was as fundamentally flawed as the original release. Specifically, the EU eggheads:
“fixed” the problem of on-device data encryption...by introducing three deprecated dependencies;
“fixed” the problem of passport onboarding by introducing a mechanism for deleting passport photos when they are no longer needed...but forgot to encrypt those photos;
“fixed” the problem of PIN storage by salting and hashing the PIN...using an outdated standard relying on an inappropriately low number of iterations.
Again, for those not versed in security babble: this is bad. In fact, as Moore observes, it’s no more than “security theater.” These fixes are designed to sound impressive but, in reality, do not address the app’s fundamental security flaws.
This is where we might be tempted to join in with the establishment toadies who are lambasting the European Commission’s tech team for their incompetence. But if we stop our critique of this app there, we risk falling into an insidious trap.
As it turns out, there’s an even darker theory about this disastrous app rollout: these security “failures” aren’t failures at all...
The Not-So-Amusing Theory That This Wasn’t A “Failure”
When confronted with the catastrophic failure of an establishment institution, mainstream “skeptics”—the kind of people who have posters of Michael Shermer hanging on their wall and keep Snopes.com bookmarked in their broswer—love to cite the rule of thumb known as Hanlon’s Razor. As any fact checker worth their salt will tell you, this adage states: “Never attribute to malice that which is adequately explained by stupidity.”
But what is to be done in a case like the EU app disaster? After all, as Moore and others have noted, this is no mere case of an inexperienced programmer making a simple coding mistake. Rather, this app has been designed with fundamental security flaws baked into its digital DNA. Is this just a case of “awww shucks” incompetence?
Pavel Durov, for one, doesn’t think so. You might recognize him as the co-founder and CEO of Telegram, the social media and instant messaging platform. You might also recall that Durov was arrested by French authorities in 2024 because they were unhappy with the lack of censorship on Telegram. And, as you might imagine, he has a very different take on this EU app rollout than that proffered by the establishment press.
“Don’t rush to laugh at EU bureaucrats,” Durov wrote in a recent Telegram post addressing the story. “Their age verification app was hackable by design — it trusted the device (that’s instant game over).”
He then goes on to speculate about the real agenda behind this supposed “failure.”
Unless the EU is run by clowns 🤡, this is their real plan:
Step 1 — Present a “privacy-respecting” but hackable app.
Step 2 — Get hacked (*YOU ARE HERE*).
Step 3 — Remove privacy to “fix” the app.Result — a surveillance tool sold as “privacy-respecting.”
The EU bureaucrats needed an excuse to silently start turning their “privacy-respecting” age verification app into a surveillance mechanism over all Europeans using social media. Today’s “surprising hack” just handed this excuse to them.
In other words, Durov is positing the theory that this app rollout was in fact a type of virtual false flag event. The EUreaucrats don’t want to create an app that actually respects users’ privacy or an app that actually helps users retain control of their identity and information. Rather, they want to install a Big Brother-esque surveillance app on everyone’s phone to snarf up as much of those users’ data as possible.
But these crafty technocrats knew that if they rolled out such an intrusive app right away, the public would reject it. So, instead, they rolled out a shoddy, easily hackable app to demonstrate that their concern for respecting users’ privacy was in fact putting people at risk. Now, they just have to offer their (pre-planned) “solution”—a security-hardened but surveillance-heavy app—and watch as the public clamours for it.
You have to hand it to the EUreaucrats: if this is indeed their plan, it’s just devious enough to dupe most of the public. Any thought that the app was designed to be hackable on purpose can be dispelled by the faux-skeptics bleating about “Hanlon’s Razor” and the mainstream repeaters covering the story as an example of government “incompetence.”
In this case, perhaps we can counter Hanlon’s Razor with a formulation of our own. Let’s call it Corbett’s Cutter: “Never attribute to stupidity what can best be explained by deliberate sabotage.”
But even if Corbett’s Cutter does explain the incomprehensibly bad security architecture of this app, it still leaves us with one rather large question: why are governments around the world suddenly so obsessed with age verification? Why are they acting as if knowing the age of internet users is such a pressing issue?
From Age Checks to ID Checkpoint
The “age verification” part of the technocratic agenda is a red herring, of course. Governments don’t care about keeping children safe—see the COVID jabs and puberty blockers for two recent demonstrations of this fact—and they are not scrambling to verify everyone’s age online out of concern for the younglings on TikTok.
Rather, this is about control. The end goal—as dedicated Corbett Reporteers will know by now—is the ultimate technocratic control grid. This control grid will involve not just total surveillance of all citizens in real time—including their precise location and movements, their interactions, their activities and logs of their conversations—but control of their transactions through a digital currency of one sort or another.
But this control grid is predicated on digital ID. In order to run and implement such a system, the would-be controllers of humanity need to have everyone in their digital database and they need to tie their devices and all of their digital doings to a single unique identifier.
In the COVID era, this push toward digital identification was sold as a necessary part of the biosecurity state. “You don’t want to kill grandma, do you? Then you’d better let us track your movements on our contact tracing apps, and you’d better comply with our digital vaccine passport checks!”
Needless to say (but I’ll say it anyway), that was a lie. Or, more accurately, it was a convenient excuse—a pretense used to justify building a vast digital infrastructure for tying people’s movements and interactions to a unique digital identifier.
Now that the scamdemic is over, the technocrats are looking for a different way to sell this agenda to a credulous public. And so they’ve turned to the familiar refrain of “Won’t someone think of the children!” After all, you want to keep children safe from online predators, don’t you?
Given the foregoing, we can now see the headlong rush toward the age verification paradigm for what it is: a mask for the digital ID agenda. But don’t take my word for it. Take Andy Yen’s.
For those not in the know, Andy Yen is the CEO of Proton AG, the Swiss tech company behind privacy-focused internet services like ProtonMail. Last week, he posted a blog titled “We must keep age verification from killing anonymity online,” in which he outlines the age-verification-to-digital-ID pipeline and talks about the threat to online privacy that it represents.
Online privacy has always been tenuous. But with age verification, we’re on the cusp of, once and for all, requiring ID for every single person going online, for any reason, legal or not, adult or not. And that should terrify us all.
While no business can simply disregard the laws in its jurisdiction, Big Tech companies have demonstrated that they will collude with governments on an industrial scale. They cooperate with hundreds of thousands of data requests from governments every year, many never seen by a judge, and that number is only growing.
What’s more, they are known to cave to state pressure and ban apps. If every Apple account in the UK is tied to a government-issued ID, how long will it be before every other country expects the same? Once you’re using these collected IDs to block access based on age, it’s a short leap to blocking access based on nationality or other factors as well.
How long before China demands the names of every person who downloaded a certain app? How long before lists of “undesirables” are sent to the tech giants, with orders to be blocked from the internet entirely? Is this really a road we’re prepared to go down?
Sadly, the answer to Yen’s final question may well be “yes.”
Indeed, when people are presented with a plausible argument—the EU boffins simply can’t code a privacy-respecting app!—and a plausible motivation—we have to protect the children!—most people will take the bait and sign on to the age verification agenda. Of course, once these well-meaning but too-trusting dupes realize that this isn’t about age verification at all but the creation of a digital dragnet, it will be too late. They will already be trapped in the maw of the digital behemoth.
The real question, then, is: what we should do about this problem? I have my own ideas, as you know, including boycotting the social media giants, supporting the creation of social media alternatives and even rejecting the digital world altogether. I am, of course, curious as to your own thoughts on what you plan to do as the digital ID noose begins to cinch tighter around our necks, and Corbett Report members are invited to log in and leave their thoughts in the comments section below.
But, rather than dwelling on the doom and gloom, let’s focus on a positive takeaway from today’s exploration. The next time some establishment-supporting self-proclaimed “skeptic” tries to use Hanlon’s Razor to explain away a pattern of repeated “failure,” you can now deploy Corbett’s Cutter to cut out their tongue and shove it back down their throat.
...Metaphorically speaking, of course.
Do you appreciate this type of essay? Then you’ll love The Corbett Report Subscriber newsletter, which contains my weekly editorial as well as recommended reading, viewing and listening.
If you’re a Corbett Report member, you can sign in to corbettreport.com and read the newsletter today.
Not a member yet? Sign up today to access the newsletter and support this work.
Are you already a member and don’t know how to sign in to the website? Contact me HERE and I’ll be happy to help you get logged in!