Research & Opinion
AI vs AI: How Cybercriminals Are Exploiting Deepfake Technology to Target eKYC Systems
The evolution of Know Your Customer (KYC) processes has brought convenience and improved security to industries like finance, e-commerce, and government services. Yet, advancements in deepfake technology present a growing threat to the integrity of electronic KYC (eKYC) systems. This detailed study explores the vulnerabilities in eKYC systems, the methods used by malicious actors, and strategies to mitigate these risks.
eKYC: A Critical Tool in Identity Verification
eKYC has become an essential component for onboarding customers online, requiring the scanning of ID cards and facial recognition to verify identity. Providers like Jumio, Onfido, Shufti Pro, Veriff, and IDScan dominate the market, integrating advanced AI models such as Tensorflow Lite and ONNX to detect fraud and validate user identities.
However, deepfake-based attacks have exposed significant weaknesses. Criminals exploit vulnerabilities to bypass these systems, leading to identity theft, financial fraud, and data breaches.
How Deepfakes Exploit eKYC Systems
1. Modus Operandi
Deepfakes use AI to generate realistic fake images or videos, which can trick eKYC systems. Key methods include:
- GPU-powered tools like Deepfake Offensive Toolkit (DOT) and Deep-Live-Cam.
- Cloud services that support virtual camera setups for seamless manipulation.
- Bypass-as-a-Service offered on underground forums, with costs ranging from $30 to $600.
2. Examples of Breaches
- Successful deepfake bypassing of Veriff using an Android Cloud setup.
- High confidence scores achieved against IDScan, despite additional local checks.
Vulnerabilities in eKYC Systems
- Low-Resolution AI Models : Many providers operate at minimal resolutions to ensure compatibility with low-end devices, inadvertently making it easier for deepfakes to pass.
- Data Centralization Risks : Sensitive data processed by multiple providers raises concerns about data security and transfer chains.
- Lack of Robust Livelihood Checks : Passive liveliness checks, while common, are not foolproof against sophisticated deepfake technologies.
Insights from the Underground Market
Our monitoring of underground forums revealed an active trade of bypass-as-a-service targeting major eKYC providers like Onfido, Jumio, and Sumsub. Tutorials, tools, and even stolen biometric data are widely available, lowering the barrier for criminals.
Price Points :
- Standard eKYC bypass: ~$30.
- High-value targets (e.g., Binance accounts): $180–$600.
Techniques Shared :
- Use of OBS Studio and GPU-powered deepfake apps.
- Exploitation of remote Android firmware for real-time spoofing.
ALSO READ : Nominate Top CISOs for Prestigious FutureCrime Summit 2025 Honors
Recommendations for Strengthening eKYC Systems
1. Advanced Deepfake Detection Models :
Deploy AI models trained to identify synthetic media alongside traditional verification systems.
2. Dynamic Livelihood Checks :
Implement real-time user interactions, such as unpredictable head movements or gestures, to verify authenticity.
3. Enhanced Resolution Flexibility :
Adjust webcam resolution dynamically to counter virtual camera exploits.
4. Penetration Testing :
Regular security assessments by specialized firms to identify and address vulnerabilities.
5. Collaborative Fraud Databases :
Incorporate checks against commercial anti-fraud databases for additional layers of security.
Conclusion
The growing sophistication of deepfake technology poses a significant threat to the effectiveness of eKYC systems. Our findings reveal that open-source tools and underground services enable criminals to exploit weaknesses in current verification processes. Financial institutions, online businesses, and eKYC providers must adopt stronger countermeasures to safeguard against these evolving threats.
By investing in deepfake detection, dynamic verification methods, and robust data protection protocols, organizations can fortify their defenses against this alarming trend.
