When the Verifier is the Accuser: A ZK-Project Faces the Copyright Cross-Examination
CryptoWhale
The complaint is 147 pages long. It opens with a cold, data-dump exhibit: a list of 18,472 GitHub repositories, each timestamped and hashed onto the Ethereum blockchain. The plaintiffs — four independent open-source authors and a software foundation — allege that the team behind the zkAI protocol copied their code verbatim to train a large language model, then wrapped the resulting model in a zero-knowledge circuit to obscure the provenance. Math doesn't lie, they claim; the Merkle proofs do.
This is not the Google Books case. It is not about web scraping or fair use in the abstract. It is about a blockchain-native AI project that used the immutability of its own data layer as a weapon — and now discovers that the same immutability is a liability. The project, which I will call zkAI because the legal team has requested anonymity until the motion to dismiss is filed, raised $45 million in a private token sale. Their pitch: a decentralized inference network where developers could query a ZK-verified model without revealing their inputs. The model itself, they claimed, was trained on 'publicly available data.' The plaintiffs counter that 'publicly available' does not mean 'freely usable for commercial AI training,' and that the project's own GitHub commit history proves they knew the code was under GPLv3.
Let me be precise. Under U.S. copyright law (17 U.S.C. § 106), the right to reproduce and prepare derivative works is exclusive to the author. The zkAI team likely intended to argue that the training process constitutes a 'transformative use' under the fair use doctrine (17 U.S.C. § 107). But here is the structural hole in their defense: zero-knowledge proofs are designed to verify computation without revealing the input data. In this case, the project published ZK proofs that their model's output was generated correctly — but those proofs do not certify that the training data was licensed. The protocol guarantees correctness of execution, not legality of source. That technical gap is exactly what the plaintiffs are attacking.
I wrote about a similar tension in my 2022 analysis of on-chain identity oracles: 'Privacy is a protocol, not a policy.' You can have a perfectly sound cryptographic scheme that, when fed tainted data, produces a tainted outcome. The zkAI project optimized for privacy of inference but ignored the compliance of training. The result is a system that is mathematically sound yet legally fragile. The court will not care about the soundness of the Groth16 setup if the inputs themselves are stolen.
Now examine the core evidence. The plaintiffs' expert, a former engineer at a major cloud provider, reconstructed the training pipeline from the project's published checkpoint hashes. Each hash corresponds to a snapshot of the model weights. By comparing those hashes with known open-source code bases, they found a statistical fingerprint: the model's output for certain code-completion tasks matches the GPL-licensed repositories with 98.7% BLEU-score overlap. The project's defense is that the model learned 'general programming patterns' — a common argument in AI copyright cases. But the signature patterns they used, such as uncommon variable naming conventions specific to one author, suggest memorization, not generalization.
This is where the blockchain element becomes a double-edged sword. The project used an on-chain registry to timestamp each training epoch, claiming transparency. In doing so, they created an immutable audit trail of exactly when and how the model ingested data. The plaintiffs subpoenaed the registry and cross-referenced the timestamps with GitHub push events. The correlation was overwhelming: within 48 hours of a new repository being pushed, the zkAI pipeline would include it in the next training batch. The very ledger designed to build trust is now the primary evidence of infringement.
The contrarian angle is uncomfortable for the blockchain community. Many projects preach that 'code is law' and that public blockchains provide transparency. But here, transparency cuts against the project. The plaintiffs are not trying to seize the smart contract; they are trying to seize the model weights. The DAO structure of zkAI — a multi-sig treasury controlled by token holders — does not shield the developers from personal liability. In fact, the decentralized governance might make it harder to negotiate a settlement because there is no single legal entity with clear signatory authority. The DAO is a compliance shield only until someone pokes a hole in it.
I have seen this pattern before. In 2021, I audited an NFT minting contract that claimed to verify artist signatures on-chain. The signature verification was correct, but the off-chain ingestion of metadata was never checked for copyright. The project raised millions and then collapsed under a class-action suit. The same structural flaw repeats here: the blockchain layer handles verification of the final output, but the input pipeline is an unregulated wild west. The zkAI team could have used a permissioned data DAO with explicit licensing terms, but they chose speed over compliance.
What should they have done? A prescriptive implementation: before you train, generate a Merkle tree of all data sources, each leaf containing a cryptographic commitment to the license. Then, for each training epoch, produce a ZK-proof that the data used in that epoch is a subset of the licensed dataset. This is possible with current zk-SNARKs, though the proof generation time would increase. The trade-off is performance for legal safety. The zkAI project valued latency over liability. That choice now threatens its existence.
Looking ahead, the court is likely to deny the motion to dismiss, pushing the case into discovery. At that stage, the project's internal Slack messages and training scripts will be exposed. The token price will crater. The plaintiffs will seek a class certification. The outcome — whether settlement or verdict — will set a precedent for every blockchain project that trains on public data. The era of 'we scraped it because it was public' is ending. The next generation of ZK projects must bake data provenance into their proof system from day one.
Mike Thomas is a zero-knowledge researcher based in Kuala Lumpur. The views expressed here are her own and do not represent any institution.