KYC bypass tools sold on Telegram to defeat biometric checks

Illegal hacking services designed to bypass Know Your Customer (KYC) facial biometric scans are being sold on Telegram channels to scammers looking to launder money.

The channels offer stolen biometric data as well as a variety of software for bypassing KYCs, including virtual cameras (VCam) that can be used during liveness checks to insert a deepfake or an image of another person. Sellers promise that the tools can get around compliance checks of well-known financial institutions, including crypto exchange Binance, Spain’s second-largest bank BBVA and UK-based Revolut.​

The findings were published by MIT Technology Review, which examined 22 public Telegram channels and groups in Chinese, Vietnamese and English.​

Among the services on offer are jailbreaking physical phones, which allows scammers to use a virtual camera on the phone, and hacking a financial institution’s app with code known as the “hooking framework,” which triggers the VCam to open.

“Increasingly, hackers compromise both the phone itself and the code of the financial institutions’ apps before feeding the virtual camera a mix of stolen biometrics and deepfakes,” says Sergiy Yakymchuk, CEO of cybersecurity company Talsec.​

Success rates, however, are hard to gauge, as organizations may remain unaware of KYC bypasses or fail to report them until later.​

Binance, BBVA, and Revolut say they are aware of KYC bypasses, while Telegram told MIT that it has removed the channels in question. Many more, however, are likely to go unnoticed.

The rise of hacking tools for sale is driven by the expansion of Asian scam syndicates across Africa and the Pacific. Many of the syndicates are based in Cambodia and Myanmar, where government oversight is limited and legal frameworks are underdeveloped.

Fraudsters often obtain money through “pig-butchering scams,” a sophisticated form of online investment fraud, and then pass it on to money-laundering networks, known as “water houses.” Money launderers then gain access to bank accounts by circumventing KYC controls, turning them into money mules and redistributing illicit proceeds. Finally, the money is channeled into digital assets, particularly the stablecoin Tether, where it can lose trace.

In 2025, around $17 billion was stolen in crypto scams and fraud, according to blockchain analysis firm Chainalysis.

In Vietnam and Thailand, government authorities have been attempting to stamp out mule accounts by introducing tougher identity verification and anti-fraud measures.

As of 2024, Vietnamese banks must use biometric authentication for money transfers exceeding 10 million Vietnamese dongs (US$380). Vietnam also recently introduced facial scans for mobile subscriptions and mobile device registrations.

Thailand has also imposed heightened KYC requirements for banks and mobile networks. The latter are intended to combat identity fraud, “ghost SIMs,” and SIM box systems, which are often exploited by fraud rings.

Article Topics

AI fraud  |  biometric liveness detection  |  biometrics  |  financial crime  |  KYC  |  social media