Full Report
Learn more about how synthetic identities and AI-powered deepfakes enable fraud, sanctions evasion, and insider threats—and how enterprises can defend.
Analysis Summary
# Tool/Technique: Synthetic Identities & Deepfakes (Used in Context)
## Overview
Synthetic identities are digital personas crafted from a combination of real and fabricated data, used by adversaries to facilitate large-scale financial fraud, circumvent sanctions, commit illicit revenue generation, and enable insider threats by bypassing Know-Your-Customer (KYC) checks and biometric liveness detection. Generative AI (GenAI) and deepfake technology are the force multipliers enabling the creation of highly convincing fraudulent identities and media.
## Technical Details
- Type: Technique/Social Engineering Aided by GenAI/Tooling (Deepfakes)
- Platform: Digital Identity Verification Systems, Remote Access/Hiring Pipelines (Cross-Platform)
- Capabilities: Creation of synthetic unique identifiers, generation of convincing synthetic identity documents (passports, IDs), generation of biometric data (facial images, fingerprints, iris patterns), real-time animation for presentation/injection attacks.
- First Seen: The rise is significantly accelerated in 2024/2025, though underlying fraud concepts are older; deepfake injection attacks spiked 783% from 2023 to 2024.
## MITRE ATT&CK Mapping
This threat primarily leverages techniques for initial access and defense evasion:
- **TA0001 - Initial Access**
- **T1550 - Use Alternate Authentication Material** (Relates to using fraudulent credentials/identities)
- **TA0001 - Defense Evasion**
- **T1562 - Impair Defenses**
- **T1562.006 - Impair Security Software** (If biometric/liveness checks are bypassed)
- **TA0002 - Execution**
- **T1204 - User Execution** (If combined with social engineering)
*(Note: Direct mappings for the creation and use of synthetic identities are often covered under specialized fraud frameworks, but T1550 is the closest fit for accessing systems using the synthetic credentials.)*
## Functionality
### Core Capabilities
- **Identity Synthesis:** Combining stolen PII (SSNs, driver's license data) with fabricated details (names, DOBs) to build a legitimate-looking history over time.
- **Fraudulent Credentialing:** Opening bank accounts and establishing credit histories using the synthetic profile to obtain large loans (Synthetic Identity Fraud - SIF).
- **Insider Threat Vector:** Gaining initial legitimate digital credentials/access by posing as remote employees or contractors.
### Advanced Features
- **Deepfake Generation:** Using GenAI tools to create highly convincing synthetic images, documents, and biometric data.
- **Injection Attacks:** Feeding synthetic media directly into the verification pipeline (bypassing standard screen replay detection) to animate synthetic identities in real time, successfully breaching KYC safeguards.
- **Laptop Farms:** Utilizing clusters of devices run by accomplices to mimic local employees and smoothly integrate the malicious activity into enterprise networks post-infiltration.
- **Profile Fabrication:** Creating fabricated profiles across professional platforms (LinkedIn, GitHub) to support the synthetic identity required for remote employment scams.
## Indicators of Compromise
The article focuses on *techniques* rather than specific malware binaries; thus, IoCs relate to the operational methodology:
- File Hashes: [Not specified; tools are AI/software based, not traditional malware]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: [Not specified, focusing on the infiltration vector rather than C2]
- Behavioral Indicators:
- Successful authentication via remote access channels using newly created or highly suspicious digital identities.
- Bypassing liveness detection during verification processes (indicates successful injection).
- Anomalous activity originating from accounts linked to remote/contractor roles that exhibit excessive data access or exfiltration behavior (consistent with North Korean IT employment scams).
## Associated Threat Actors
- **PurpleDelta (Insikt Group Tracking):** North Korean state-sponsored actors conducting IT employment scams to generate illicit revenue and potentially conduct espionage.
- **Various Financial Criminals:** Actors exploiting SIF for large-scale financial fraud.
## Detection Methods
- **Signature-based detection:** Not directly applicable unless the *output* of the GenAI (e.g., known fake document variants) has known hashes/signatures.
- **Behavioral detection:** Continuous validation of every identity, interaction, and transaction. Monitoring for discrepancies between perceived liveness and actual user behavior. Detailed behavioral analysis of remote employee accounts exhibiting unusual access patterns.
- **YARA rules:** [Not mentioned]
## Mitigation Strategies
- **Rigor in Identity Verification:** Adopting more rigorous identity verification processes than standard KYC/biometric checks.
- **Continuous Validation:** Ensuring **every identity, interaction, and transaction is continuously validated**.
- **Strengthening Remote Security:** Enhanced vetting for remote employees and contractors.
- **Deepfake Countermeasures:** Implementation of advanced presentation attack detection specifically designed to identify and defend against **injection attacks**.
## Related Tools/Techniques
- **Deepfake Injection Tools:** Tools capable of feeding synthetic media directly into video/biometric pipelines.
- **Synthetic Identity Fraud (SIF) Frameworks:** The methodologies used to chronologically build up the synthetic credit/identity history.
- **Presentation Attack Detection Systems:** Systems that have failed to detect the injection, implying a need for updated solutions that handle deepfake injection specifically.