Full Report
Dozens of Telegram channels reviewed by WIRED include job listings for “AI face models.” The (mostly) women who land these gigs are likely being used to dupe victims out of their money.
Analysis Summary
# Tool/Technique: Real-Time AI Face-Swapping (Deepfake Video Calls)
## Overview
This technique involves the use of specialized software and human "models" to perform real-time deepfake video calls. Criminal organizations in Southeast Asian scam compounds use these tools to bypass the skepticism of victims during "pig-butchering" or romance scams. By mapping a model's live movements onto a curated "persona" (often an attractive individual or celebrity), attackers build trust to facilitate financial fraud.
## Technical Details
- **Type**: Technique / Attack Tool (Social Engineering & Deepfake Framework)
- **Platform**: Multi-platform (Social media, Video calling apps, Telegram)
- **Capabilities**: Face-swapping, voice modulation, filter application, real-time animation of static images.
- **First Seen**: Broad adoption in Southeast Asian scam hubs noted increasingly circa 2023–2024.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing]: Utilizing social media/messaging to establish contact.
- **[TA0007 - Discovery]**
- [T1589 - Gather Victim Identity Information]: Using romance scam tactics to profile victims.
- **[TA0011 - Command and Control]**
- [T1102 - Web Service]: Communicating through legitimate messaging apps (Telegram, WhatsApp).
- **[TA0042 - Resource Development]**
- [T1585 - Establish Accounts]: Creating fake personas/social media profiles.
- [T1588.002 - Cloud Persistence/Tools]: Procurement of AI deepfake software.
## Functionality
### Core Capabilities
- **Real-Time Synthesis**: Mapping a live actor’s facial expressions and lip movements onto a pre-selected target face during a live video call.
- **Media Generation**: Creating audio and video messages that match the established fake persona.
- **Multi-Language Support**: Scammers hire models with diverse linguistic skills (English, Chinese, Russian, Turkish) to target global populations.
### Advanced Features
- **High-Volume Execution**: Operations are industrialized, with "AI rooms" dedicated to handling 100–150 video calls per day per model.
- **Persona Persistence**: Using consistent AI filters across different models to ensure the "victim" always sees the same face, regardless of which human worker is on shift.
## Indicators of Compromise
- **File Hashes**: N/A (Software is often proprietary or modified open-source localized within compounds).
- **File Names**: N/A.
- **Network Indicators**:
- `telegram[.]org` (Primary recruitment and C2 coordination).
- Use of crypto-investment domains or fraudulent trading platforms (Defanged: `scam-investment-site[.]xyz`).
- **Behavioral Indicators**:
- Unnatural facial glitches during video calls (e.g., blurring around the jawline or eyes).
- Perfect lighting that doesn't match the background environment.
- Sudden drops in video quality when the subject moves their hand in front of their face.
## Associated Threat Actors
- **Sihanoukville-based Scam Syndicates**: Transnational organized crime groups operating in Cambodian scam compounds.
- **"Yahoo Boys"**: West African fraud groups (noted for similar real-time deepfake adoption).
## Detection Methods
- **Behavioral Detection**: Monitoring for "deepfake artifacts" such as inconsistent blinking patterns, unnatural skin textures, or glitches during rapid movement.
- **Network Analytics**: Identifying traffic patterns common to scam compounds (mass volume of Telegram/WhatsApp traffic coming from specific regional IPs).
- **Authentication**: Implementing "liveness" checks that require the user to perform random actions (e.g., turning their head to a specific angle or holding up a specific object).
## Mitigation Strategies
- **User Awareness**: Training individuals to recognize the signs of "pig-butchering" and deepfake artifacts.
- **Zero Trust Messaging**: Discouraging the transition from public apps to private encrypted messengers for "investment" advice.
- **Platform Filtering**: Social media platforms utilizing AI to detect and flag profiles using known AI-generated or stolen celebrity imagery.
## Related Tools/Techniques
- **Pig-Butchering (Sha Zhu Pan)**: The overarching social engineering framework.
- **DeepFaceLive**: An open-source tool often adapted for real-time face-swapping.
- **Voice Cloning (Vishing)**: Complementary technique using AI to mimic specific voices.