Video KYC Under Attack: How Deepfakes Enter Remote Verification Flows

Most deepfake discussions focus on whether a biometric check passes. Video KYC is a different problem entirely. It is a legally recognised verification channel, granted regulatory equivalence to an in-person meeting in Germany, India, Singapore, and across the EU. A completed session creates an auditable compliance record. When a deepfake gets through, the institution does not just onboard a fraudulent customer. It produces a false record stating that a trained official verified an identity in real time, and that the verification passed. This article examines why that matters, what it means for agent-assisted verification, and what the regulatory frameworks governing video KYC now require.

There is a moment, somewhere in the middle of a live video KYC session, when the verification system makes its decision. The face matches the ID document. The liveness check passes. The account opens. What almost no system can tell you, with any confidence, is whether the face on that call belonged to a real person sitting in front of a camera, or to a deepfake running through a virtual video pipeline on someone else's laptop.

This is not a theoretical vulnerability. It is an operational one, happening at scale, right now. The data from 2024 and 2025 makes the trajectory unmistakable.

Javelin Strategy and Research's 2025 Identity Fraud Study found that new-account fraud losses in the United States alone reached $6.2 billion in 2024, up from $5.3 billion the year before, with 73% of financial institutions reporting a rise in synthetic identity attempts. Cybersecurity firm Group-IB documented a single financial institution recording over 8,000 attempts to bypass its liveness checks for digital KYC loan applications in a period of eight months alone, all using biometric injection with AI-generated deepfakes. Group-IB's Weaponized AI white paper puts the going rate for this kind of capability in stark terms: a technology developer charges a criminal between $10 and $50 to build a deepfake image service, and a ready-to-use synthetic identity sells for as little as $15.

None of those numbers describe isolated incidents or novel proof-of-concept research. They describe a fraud infrastructure that has matured, industrialized, and is now available for purchase on the open internet for less than the cost of a restaurant meal.

Understanding how deepfakes actually get into video KYC flows, technically and operationally, is no longer optional knowledge for compliance, fraud, and technology teams. It is foundational.

‍

The threat that liveness detection was not built to stop

Before getting into the attack mechanics, it helps to understand why the problem is structurally harder than it first appears.

When liveness detection became standard in video KYC, it was designed to defeat presentation attacks: fraudsters holding printed photographs, masks, or pre-recorded video up to a physical camera. The solution worked by looking for evidence that the person in frame was physically present. Does the face move naturally? Are there subtle depth cues? Is there light reflecting correctly off skin? Passive liveness checks do this through a single selfie or short video clip. Active liveness checks add prompts, blink now, turn left, speak a digit, to confirm a live human is responding.

Both approaches share the same foundational assumption: that the video stream originates from a real camera, capturing a real physical scene.

Digital injection attacks break that assumption entirely. Rather than presenting a fake face to a camera, an attacker intercepts the data stream between the camera sensor and the application, and substitutes synthetic video before the verification system ever sees a pixel. There is no physical medium involved. No screen glare, no moiré pattern, no depth anomaly. The injected content is digitally pristine, and passive liveness detection is completely blind to it.

The European Union Agency for Cybersecurity flagged the rise of injection attacks in remote identity proofing as a systemic threat requiring dedicated countermeasures, separate from those designed for physical presentation attacks. The FIDO Alliance's Face Verification certification program now explicitly tests for deepfake and injection attack resilience as a distinct evaluation category, recognizing that these attacks require different defenses. Injection attacks, by multiple industry intelligence accounts, are now significantly more common than their physical counterparts and growing faster than any other attack category in the remote verification threat landscape.

‍

The anatomy of a video KYC deepfake attack

The MITRE ATLAS knowledge base, developed with red team input from biometric security researchers, documented a representative attack chain against video KYC flows in December 2025. Walking through it is instructive, because the technical steps are far less exotic than most compliance teams assume.

The attacker begins with reconnaissance: sourcing high-resolution facial images of a real or synthetic identity from social media, data broker records, or underground markets. These images are fed into a face-swap model such as DeepFaceLive, which performs real-time face substitution at 25 frames per second on consumer-grade hardware. The output is routed through Open Broadcaster Software, which creates a virtual camera output. A tool like Virtual Camera: Live Assist then registers that virtual output as the device's default camera.

When the KYC session opens, the verification platform calls the device camera and receives the deepfake feed. The system logs record a normal session: camera opened, face captured, face matched, liveness passed. Nothing in the audit trail signals that the camera was not a camera.

This attack works on non-rooted, standard Android devices. It requires no technical sophistication beyond following a tutorial. And active liveness detection, the kind that asks users to blink or turn their head, does not stop it. Modern face-swap tools reproduce realistic facial motion responding to prompted challenges. As MITRE ATLAS confirmed, contemporary tools can replicate the facial movements and expected image artifacts that challenge-based verification systems look for. A 2022 study from Zhejiang University, published at USENIX Security, tested injection-based attacks against commercial liveness verification APIs and achieved evasion rates of up to 90% on some platforms.

On browser-based verification flows, the attack vector shifts slightly. JavaScript can intercept navigator.mediaDevices.getUserMedia calls and substitute synthetic video in transit. Browser plugins accomplish the same thing with no code required. For mobile apps, the Frida dynamic instrumentation toolkit hooks camera APIs at the native SDK level, injecting deepfake content directly into the application's data pipeline. Research by Carta and colleagues, presented at the International Multi-Conference on Computing in the Global Information Technology, confirmed that Frida-based injection bypasses both passive and active liveness detection because the liveness module receives attacker-controlled data and processes it as a genuine camera feed.

The emulator pathway deserves separate attention. Running KYC applications inside Android emulators such as BlueStacks or Genymotion on a desktop computer allows attackers to pipe deepfake video through a simulated camera input. The practical implication, documented by security researchers, is that a single machine can run hundreds of parallel onboarding sessions simultaneously. At that point, fraud is no longer an individual act. It is a production process.

‍

When fraud becomes a product

What has changed most dramatically in 2024 and 2025 is not the underlying technology. It is the business model around it.

Cato Networks identified a service called ProKYC in October 2024, sold at $629 per year, which bundles a virtual camera, an emulator, facial animation software, and verification photo generation into a single platform specifically designed to bypass crypto exchange and payment provider KYC. The product has a user interface. It has a support channel. It has documentation.

At the lower end, Trend Micro researchers monitoring underground forums in 2024 found deepfake KYC bypass services advertised daily at prices starting from $30 for standard financial institution bypasses and rising to $200 for more scrutinized excha

nges. Group-IB collected over 300 posts on Telegram channels and dark web forums referencing deepfake KYC bypass between 2022 and September 2025. In its Weaponized AI white paper, the firm described how technology developers specializing in deepfake tools sell capabilities to large-scale fraud operations, with the effect that fraud is getting cheaper, faster, and more scalable with each passing quarter.

Group-IB's research also documented that between January and August 2025, a single financial institution recorded over 8,000 attempts to bypass its liveness checks for digital KYC loan applications, all using biometric injection with AI-generated deepfakes. This is not opportunistic fraud. It is targeted, systematic, and iterative. The attackers test, learn which tool combinations succeed, and return.

The World Economic Forum's 2026 report on digital identity verification evaluated 17 face-swapping tools and 8 camera injection tools, collected from dark web sources and Telegram channels between July 2024 and April 2025. It found that even moderate-quality face-swapping tools, when integrated with camera injection techniques, can deceive biometric systems that rely on any single verification signal. The implication is significant: the attacker no longer needs to be technically sophisticated. They need only to be a customer.

A separate thread of industrialization has emerged in the form of identity farming operations. Criminal groups have been documented paying willing individuals for their genuine identity documents and live face scans, then using AI face-swapping to apply those identities to different people at scale. When a real document matches a deepfake face derived from the document holder's actual images, the attack is structurally indistinguishable from a legitimate customer. Traditional KYC has no framework for this scenario.

‍

What it looks like in practice

The abstract mechanics become concrete when you look at what has actually happened.

The AI fake ID factory

In early 2024, investigative publication 404 Media exposed OnlyFake, an underground platform using neural networks to produce forged identity documents from 26 countries at $15 per document. A reporter successfully used an AI-generated British passport to pass KYC checks at a major crypto exchange. Users in the platform's Telegram channel shared successful bypass confirmations across multiple financial platforms. The operator, Ukrainian national Yurii Nazarenko, pleaded guilty in U.S. federal court in 2025, forfeiting $1.2 million. What made OnlyFake significant was not the document forgery itself but the pipeline it represented: AI-generated face, AI-generated document, AI-animated video. Every element synthetic, every element optimized for KYC evasion.

The face-harvesting trojan

Group-IB's February 2024 research uncovered GoldPickaxe, a banking trojan targeting Android and iOS devices in Thailand and Vietnam, distributed as fake government service applications. Its primary function was biometric harvesting: tricking users into recording face scans and ID documents, which were then processed through AI face-swapping to create deepfakes capable of bypassing facial recognition at financial institutions. Thai police confirmed arrests connected to the operation, with one documented Vietnamese victim losing approximately $40,000 to fraudulent account access. GoldPickaxe represents a more sophisticated threat model than simple injection attacks: it uses real biometric data from real people, deepfake-processed, against the systems those people use legitimately.

Organized account opening fraud

In April 2025, Hong Kong police arrested eight suspects linked to organized crime who had used deepfake technology to merge their faces onto photographs from 21 stolen identity cards. The group made 44 fraudulent bank account opening applications by bypassing facial recognition in digital onboarding flows, as part of a broader operation connected to losses exceeding HK$1.5 billion. This was not individual fraud. It was a coordinated production effort with a clear division of labour between identity sourcing, deepfake production, and account opening.

Each of these cases reflects the same underlying pattern. The attack entry point was video KYC or biometric onboarding. The method combined synthetic media with injection or presentation techniques. And in every case, the verification system approved what it was shown.

‍

The false security of certification

A critical and under-discussed gap exists between what biometric certification actually tests and what the current threat landscape demands.

iBeta certification under ISO 30107-3 is the standard compliance benchmark for liveness detection. It tests Presentation Attack Detection, meaning physical artifacts shown to a camera sensor: photos, videos played on screens, 3D masks. It does not test for virtual camera attacks, digital injection, or SDK-level stream manipulation. A system can hold full iBeta Level 2 certification and be entirely transparent to the dominant attack vector in the market today. Organizations relying on iBeta certification as evidence of deepfake resilience have a significant and often invisible gap in their risk posture.

Gartner's February 2024 prediction captures the institutional reckoning underway: by 2026, 30% of enterprises will no longer consider face biometric verification solutions reliable in isolation due to AI-generated deepfakes. Academic research reinforces why. A 2025 benchmark study published on arXiv, the Deepfake-Eval-2024 project, evaluated detection models against 45 hours of real-world deepfake video from 88 websites across 52 languages. It found that many off-the-shelf detection models scored at AUC values approaching 0.5, equivalent to random chance, against contemporary deepfakes. The best commercial video detector in the study achieved roughly 78% accuracy. At operational false-positive rates of one in ten thousand, true positive rates remained insufficient for practical deployment.

The standards gap is beginning to close. CEN/TS 18099, published in November 2024, is the first European technical specification that formally defines Injection Attack Detection testing protocols, establishing Basic, Substantial, and High assessment levels. ISO/IEC 25456 is developing the international counterpart. These mark a recognition at the standards level that injection attacks require fundamentally different defenses and evaluation methodologies than presentation attacks. The FIDO Alliance has similarly launched a Face Verification certification that explicitly tests for deepfake and injection resilience as a distinct category, separate from existing PAD assessments.

‍

Regulators move from awareness to obligation

2024 and 2025 mark a shift in regulatory posture from awareness to formal obligation. Multiple jurisdictions have moved deepfake threats from risk guidance into hard requirements.

In November 2024, the U.S. Financial Crimes Enforcement Network issued a formal alert specifically addressing generative AI fraud in identity verification, the first time a U.S. federal financial regulator has done so explicitly. It formally recognizes that synthetic identity documents, photographs, and videos are being used to circumvent Customer Due Diligence controls. Financial institutions are directed to flag suspicious activity reports with a specific deepfake fraud tag, and the alert outlines nine operational red flags: third-party camera plugins appearing during live verification, reverse-image matches to AI-generated face galleries, and inconsistencies between document metadata and visual content, among others. Deepfake detection software is recommended as a specific mitigation measure.

In December 2025, FATF published its Horizon Scan on AI and Deepfakes, identifying three structural amplifiers of risk: growing institutional reliance on facial biometrics creates a larger attack surface; synthetic audio, video, and images defeat KYC and liveness verification in ways legacy systems cannot detect; and cross-border deepfake fraud exploits the inconsistency in national regulatory requirements. FATF recommends deploying real-time deepfake detection, implementing multi-factor onboarding protocols with human validation, and establishing AI risk ownership at board level.

NIST's finalized Special Publication 800-63-4 (August 2025) introduces a new section specifically on digital injection prevention and forged media detection, the first federal identity standard to formally require defenses against synthetic media threats in the identity proofing process. Concurrently, Singapore's Monetary Authority published an information paper in September 2025 citing documented cases of AI-generated facial images bypassing digital KYC in Southeast Asia, explicitly recommending endpoint-based deepfake detection and multi-layered biometric authentication.

The EU AI Act, in force since August 2024, classifies biometric identification systems as high-risk AI under Article 6, requiring comprehensive risk management, accuracy benchmarking, and human oversight. Article 50 mandates machine-readable disclosure of AI-generated content including deepfakes. DORA, applying from January 2025, treats biometric and identity verification providers as critical ICT third parties, requiring resilience testing and incident reporting.

The regulatory direction is coherent and consistent: deepfake detection is moving from a recommended capability to a required one. The question institutions face is not whether to address it, but how quickly.

‍

What actually works: rethinking the verification stack

The temptation, when confronted with data this alarming, is to reach for a single technological fix. Upgrade the liveness solution. Add a newer deepfake classifier. Tighten the document check. These responses are understandable, but they address symptoms of an architectural problem.

The underlying issue is that traditional KYC verification was built to answer one question: does this face match this document? Deepfake attacks have revealed that this is the wrong question. The right question is: can we trust the integrity of every element in this verification session, from the capture pipeline to the media content to the identity claim itself?

Effective defense against video KYC deepfake attacks requires operating at multiple independent layers:

• Device and environment integrity: Detecting the presence of virtual cameras, emulators, rooted devices, or unusual camera API behavior before any biometric analysis begins. If the capture environment cannot be trusted, content analysis is operating on attacker-controlled data.
• Deepfake media detection: Analysing the video stream itself for artifacts of synthetic generation: temporal inconsistencies, frequency-domain anomalies, physiological signal absence, and the spatial artifacts introduced by face-swap models. This operates independently of liveness and catches attacks that liveness cannot. Explainability matters here: a system that flags a session as potentially synthetic should be able to articulate why, for both audit trail purposes and for calibrating human review decisions.
• Camera fingerprint verification: Research published in 2025 demonstrates that photo response non-uniformity (PRNU), a unique noise signature produced by physical camera sensors, is absent from synthetic video. While deepfakes can bypass content-based liveness checks, they fail camera fingerprint validation. This represents an independent signal that is structurally harder for attackers to spoof.
• Multi-signal fusion: No single signal is definitive. Device attestation, injection detection, deepfake classification, behavioral analysis, and document forensics each add independent signal. Attacks that circumvent one layer typically leave detectable traces in another. The architecture goal is detection at the earliest possible point in the pipeline, not reliance on any single downstream check.
• Calibrated human oversight: Automated systems flag; trained human reviewers decide on ambiguous cases. FinCEN and FATF both recommend human validation as part of high-risk onboarding decisions. The goal is not to replace human judgment but to direct it to the cases where it adds genuine value.

The World Economic Forum's finding is instructive here: even moderate-quality attack tools, when combined with camera injection techniques, can deceive biometric systems that rely on any single verification signal. Multi-layer architectures significantly narrow the viable attack surface. No combination of injection, face-swap, and document forgery will simultaneously evade device integrity checks, deepfake content analysis, camera fingerprinting, and behavioral signals.

‍

The question that every verification flow should answer

Remote identity verification has always been a matter of trust. The institution trusts that the person on the other end of the session is who they claim to be. The customer trusts that the institution's process is secure enough to protect their identity from being misused.

Deepfakes attack both sides of that relationship simultaneously. They expose institutions to fraud, regulatory risk, and AML liability. They expose customers to having their biometric data harvested and weaponized. And they do so through a mechanism that the verification systems most institutions currently operate were not designed to detect.

The inflection point here is not technical. It is conceptual. Organizations that continue to treat deepfake detection as an add-on feature, layered optionally onto an existing KYC stack, will remain structurally exposed. The ones building verification around the question of media authenticity first, and then asking about identity, are positioning themselves correctly for what the threat landscape has already become.

Javelin Strategy and Research found that 73% of financial institutions report a rise in synthetic identity attempts, and that new-account fraud alone cost $6.2 billion in the United States in 2024. Group-IB documented criminal ecosystems where KYC bypass tools are sold with support channels, update cycles, and tiered pricing. FATF, NIST, FinCEN, and MAS Singapore all now formally require or explicitly recommend deepfake detection as part of compliant identity verification. These are not projections or worst-case scenarios. They are the current state of the market.

The video KYC session that opens an account today should be able to answer one question with confidence, beyond whether the face matches the document: was that video real? That question is harder to answer than most verification stacks currently acknowledge. But it is no longer optional