Full Report
Researchers at iProov have discovered a dark web group compiling identity documents and biometric data to bypass KYC checks
Analysis Summary
# Threat Actor: Unnamed Underground Group (Biometric Data Farming Operation)
## Attribution & Identity
The threat actor is an **unnamed underground group** discovered operating a large-scale identity farming operation on the dark web. No specific nation-state or established group attribution is provided in the context.
## Activity Summary
The group is actively compiling a large collection of **identity documents and corresponding facial images** (often paired with selfies) with the primary goal of **tricking Know Your Customer (KYC) verification checks.** A key finding is the suspicion that the data subjects may have **willingly handed over their biometric data and documents in exchange for payment**, adding complexity to online identity verification defenses.
## Tactics, Techniques & Procedures
- **Data Harvesting:** Collecting identity documents alongside associated facial images/selfies.
- **Adversary in the Loop (Automation bypass):** Creating comprehensive identity profiles intended to defeat automated or manual KYC verification systems.
- **Potential Monetization/Data Sale:** Trading high-quality, linked identity packages on the dark web.
- **TTP Note:** The primary technique involves exploiting the trust placed in genuine documents being misused by unauthorized parties (i.e., legitimate selfies being supplied for fraudulent account creation).
- *Specific MITRE ATT&CK IDs were not provided in the context.*
## Targeting
- **Sectors:** Organizations reliant on **Know Your Customer (KYC) verification checks** and online identity verification using selfies (e.g., financial services, online accounts).
- **Geography:** Not explicitly stated, but implies targeting entities globally that use digital identity verification.
- **Victims:** The primary victims are the **customer-facing businesses** whose verification systems are targeted, and potentially the **data subjects** themselves if coercion or deceptive compensation was involved. No specific victim organizations were named outside of the mention of Serco Leisure's use of facial recognition being banned (contextual, not a specific victim of this operation).
## Tools & Infrastructure
- **Malware Families Used:** Not specified. The focus is on data aggregation rather than active exploitation via traditional malware.
- **Infrastructure (C2, domains, IPs):** The operation is described as existing on the **dark web**. No specific C2 or defanged infrastructure details were provided.
## Implications
This operation signifies a mature method of synthetic identity fraud where the identity package is high-fidelity (containing both document proof and a real associated face). This elevates the threat against systems relying on passive biometric checks and increases the workload for businesses needing to distinguish between genuine data being misused versus entirely forged identities. The willingness of some data subjects to participate creates a source of persistent, high-quality synthetic data supply.
## Mitigations
- **Improve Verification Checks:** Organizations must enhance their KYC processes beyond simple document checking.
- **Liveness Detection:** Implement advanced liveness detection techniques to ensure the user presenting the selfie is physically present and engaged in real-time, rather than replaying static images or deepfakes.
- **Multi-Factor Verification:** Do not rely solely on document and selfie matching; incorporate behavioral analysis or out-of-band verification methods.