Cybersecurity researchers have discovered a dark web criminal operation that collects facial ID images and genuine identity documents to bypass identity verification systems. The group, primarily active in Latin America and Eastern Europe, pays individuals for their personal information. iProov’s biometric threat intelligence unit found that the operation has gathered a substantial collection of identity documents and matching facial images.
This data is used to defeat Know Your Customer (KYC) verification processes, which are essential for preventing identity fraud in the financial sector. Andrew Newell, chief scientific officer at iProov, expressed concern about the sophisticated nature of the operation and the willingness of people to sell their identities for short-term financial gain. He warned that these complete, genuine identity packages can be used for complex impersonation fraud that is difficult to detect through traditional verification methods.
The iProov report outlines the attack process, which involves three main steps: document verification, facial matching, and liveness detection.
Biometric threat escalation on dark web
Attackers use genuine documentation to bypass document verification, pair legitimate facial images with the corresponding identity documentation to defeat facial matching, and employ various techniques like deepfakes and 3D modeling to circumvent liveness detection.
To counter these threats, iProov recommends a multi-layered verification system that includes matching presented identity to official documents, using embedded imagery and metadata analysis to detect malicious media, implementing a unique challenge-response to confirm real-time identity verification, and combining technologies and threat intelligence for comprehensive detection, response, and mitigation. Group-IB researchers have shown that liveness detection in facial biometrics is no longer foolproof, as attackers have used AI-generated deepfake images to bypass biometric verification systems. Face-swapping technologies enable attackers to replace one person’s face with another’s in real time using just a single photo.
As identity theft evolves, consumers and organizations must adopt advanced security measures to protect their identity verification processes. This includes continuous monitoring, incident response, proactive threat hunting, and ongoing education and awareness. The findings were shared with local authorities in affected regions, and iProov emphasized the importance of informing both organizations and the public about the dangers of selling personal data and the steps needed to secure identity verification processes against increasingly sophisticated cyber threats.
