A dark web operation in LATAM is using genuine identity documents and biometrics to bypass verification systems, highlighting the urgent need for advanced identity fraud defences.

The dark web has once again proven to be a hotbed of criminal innovation, with iProov, the world leader in biometric identity verification, uncovering a large-scale operation targeting Know Your Customer (KYC) processes. The discovery, detailed in iProov’s Quarterly Threat Intelligence News Update for Q4 2024, reveals how identity verification systems are being systematically bypassed using genuine identity documents paired with matching biometric data.

What makes this operation particularly alarming is its sophistication and the apparent willingness of individuals to sell their identity documents and facial images in exchange for financial compensation. According to iProov, this practice threatens to undermine the security of biometric verification systems globally.

Dark Web Group Targets LATAM and Beyond

The operation was uncovered by iProov’s Biometric Threat Intelligence service, which uses threat-hunting and red team testing within its Security Operations Center (iSOC). The dark web group in question, based in the LATAM region, has amassed an extensive collection of real identity documents and corresponding facial images. These “identity packages” are specifically tailored to defeat KYC verification processes, which are critical for financial institutions, e-commerce platforms, and other organisations reliant on identity authentication.

“This isn’t just a case of stolen identities—it’s individuals willingly compromising their own identity security for short-term financial gain,” said Andrew Newell, Chief Scientific Officer at iProov. “When genuine documents and biometric data fall into the wrong hands, it becomes exceptionally difficult to detect fraud using traditional methods.”

The iSOC has notified law enforcement in the LATAM region about these findings. Similar patterns have been observed in Eastern Europe, though connections between the two groups remain unconfirmed.

Why This Threat is Different

This operation poses a unique challenge because it uses legitimate credentials rather than forgeries. Traditional document verification and basic facial matching systems are not equipped to handle such cases, making this method particularly dangerous. iProov identified three distinct levels of attack sophistication:

1. Basic Attacks: Using printed photos or manipulated static images to bypass rudimentary systems.
2. Mid-Tier Attacks: Deploying real-time face-swapping or deepfake technology combined with genuine ID documents.
3. Advanced Attacks: Leveraging AI-driven synthetic faces and 3D modeling to exploit system vulnerabilities.

The advanced nature of these attacks highlights the limitations of systems that rely solely on static verification techniques or basic liveness detection.

What should organisations do?

To counter these threats, iProov advocates for a multi-layered approach to identity verification. This includes:

1. Matching the Right Person: Verifying the connection between the presented identity and official documents.
2. Confirming a Real Person: Using imagery and metadata analysis to identify manipulated media.
3. Real-Time Verification: Employing challenge-response mechanisms to ensure the interaction is live and authentic.
4. Managed Detection and Response: Continuously monitoring systems for emerging threats, conducting incident response, and proactively building defences.

This comprehensive strategy significantly raises the bar for attackers, making it nearly impossible to simultaneously defeat all layers of defence while maintaining natural human characteristics.