Dark Web cybercriminals are buying up ID to bypass KYC methods

Image credit: Shutterstock (Image credit: Image credit: Shutterstock)

  • Researchers from iProov found a group buying up ID data from consumers
  • The data is being used to bypass KYC processes
  • Companies will need to go for a multi-layered approach, iProov says

Hackers have found an easy and simple way to grab people’s sensitive information, and then use it to bypass Know Your Customer (KYC) processes - buying the information directly from the victims.

New research from identity verification and fraud prevention firm iProov uncovered a “sophisticated approach to compromising identity verification systems” through a “systematic collection of genuine identity documents and images.”

iProov said it uncovered a dark web group engaged in mass collection of identity documents and corresponding facial images, which actually compensates the victims for the information. It wasn’t said how much money they were giving for one set of data.

Multi-layered approach

The group operates in the Latin American region, but the researchers said they observed similar operational patterns in Eastern Europe, as well, and shared its findings with the local authorities.

Commenting on the findings, Andrew Newell, Chief Scientific Officer at iProov warned against selling personally identifiable information to anyone.

"When people sell their identity documents and biometric data, they're not just risking their own financial security - they're providing criminals with complete, genuine identity packages that can be used for sophisticated impersonation fraud," he noted. "These identities are particularly dangerous because they include both real documents and matching biometric data, making them extremely difficult to detect through traditional verification methods.”

iProof hinted in the near future, organizations will have to implement a multi-layered verification approach, since current identity verification systems could be easily spoofed. This approach would require people to first confirm that they’re human, then that they’re the right person, and it all should be done in real-time.

“This multi-layered approach makes it exponentially more difficult for attackers to successfully spoof identity verification systems, regardless of their level of sophistication,” iProov concluded.

“Even advanced attacks struggle to simultaneously defeat all these security measures while maintaining the natural characteristics of genuine human interaction.”

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.