Deepfakes and Synthetic Faces: Creating the Perfect KYC Fake

[Good Carder]

Introduction: When a Digital Shadow Takes Form​

In 2025, deepfake-related fraud and carding cost financial institutions $410 million, and the overall number of attacks has increased by 3000% over the past 12 months. Cybercriminals no longer steal identities — they create them. From scratch, leaving no trace and raising no alarms.

In this article, I will analyze the full technological cycle of creating a synthetic identity capable of passing modern KYC systems: from face generation and document forgery to deepfake video injection in real time. All information is provided for research purposes only.

Part 1. Face Generation: From StyleGAN to Diffusion Models​

1.1 StyleGAN – the foundation of synthetic faces​

StyleGAN (NVIDIA's Generative Adversarial Network) is the technology behind most modern KYC attacks. It generates photorealistic faces of people who never existed. In a typical attack scenario, carders first generate a synthetic face, embed it into a fake ID template (available on darknet marketplaces), and then run liveness checks through real-time face replacement tools.

Researchers have even created "master key faces" — images optimized using evolutionary strategies that can bypass several different facial recognition systems simultaneously. These faces appear older than the originals and lack glasses or facial hair — all of these features are selected to minimize detection.

The key danger of StyleGAN is that the synthetic images are not manipulated real photographs. Traditional detection systems are trained to detect editing artifacts. But an image generated entirely by a neural network contains no such artifacts, making it virtually indistinguishable from the real thing.

1.2. Diffusion models: Midjourney, DALL-E 3, Stable Diffusion​

Facial generation is just the first step. A carder needs more than just a face, but a full portrait in context that will look natural on documents. Midjourney, DALL-E 3, and Stable Diffusion generate not only close-ups of faces but also photographs of the "person" in various situations: driving a car, on vacation, in front of landmarks. These images can be used to create a convincing digital trace of a synthetic personality.

Diffusion models are also used to improve the quality of face-swapping: models released since 2024 outperform detectors trained on older autoencoder deepfake artifacts in terms of realism.

1.3. The Final Package: Synthetic Identity​

A fully-fledged synthetic identity is a person who never existed. They have an AI-generated face, fake documents with that face, and often a fabricated history: a Social Security number (often taken from deceased individuals or children), a fictitious credit history, addresses, and even social media activity. Such an identity doesn't raise alarms in KYC systems because there are no complaints against it — it simply doesn't exist in databases. In the US alone, synthetic ID fraud will cost lenders $3.1 billion in 2023, with annual growth of over 20%.

Part 2. Creating Video Selfies: DeepFaceLab, InsightFace, ROPE​

The generated face is only a static image. To pass KYC, you need a dynamic video selfie with blinking, head movements, and speaking numbers.

2.1. DeepFaceLab – the deepfake industry standard​

DeepFaceLab is the most popular open-source library for creating deepfakes, used not only by researchers but also by cybercriminals. It allows you to transfer one person's face onto another's body in high resolution and photo-quality.

In the context of KYC, a carder can replace a face in a video of a real person (obtained from social media) with a synthetic face from Step 1. The result is a perfect video, in which the "person" meets all verification requirements, even though they never existed. When paired with Runway AI, carders can scale attacks on synthetic identities and simulate convincing KYC video sessions on an industrial scale. DeepFaceLab also requires a high-performance GPU and can be used in conjunction with Rope, another high-precision face replacement tool that uses InsightFace models.

2.2. InsightFace and ROPE — one-shot face replacement​

InsightFace provides the inswapper_128.onnx model, which allows for instant face swapping in an image or video, without extensive training. This is critical for carders who don't have the time to spend hours training a model.

ROPE (Roop) is an open-source desktop application based on InsightFace that performs face swapping in real time on standard hardware. It can process video at 25-30 frames per second on a single average GPU, making it suitable for live video calls and KYC sessions.

Implementation details: inswapper_128.onnx uses a one-shot approach — a single reference image is sufficient for face swapping, eliminating the need for parallel training.

2.3. DeepFaceLive — real-time deepfake for webcams​

While DeepFaceLab and ROPE are used to create pre-recorded videos, DeepFaceLive enables real-time face swapping during live verification. The system superimposes a synthetic face onto the attacker's face, synchronizing facial expressions, blinks, and head movements.

The carder can:

• Match the synthetic face with the presented ID.
• It is natural to respond to liveness requests (turn your head, smile).
• Complete full verification in one session.

Part 3. Bypassing Liveness Detection: Webcam Injection​

The easiest way to bypass liveness detection is not to try to fool the camera with expensive 3D equipment, but to replace the video stream source itself at the operating system level.

3.1. OBS Virtual Cam - the most accessible method​

OBS Studio with the Virtual Camera module creates a virtual video capture device in the system. An attacker only needs to:

1. Run pre-recorded deepfake video in OBS.
2. Set OBS Virtual Camera as the default system camera (via browser or app settings).
3. Run the KYC process - the system will "see" a deepfake video instead of a real camera.

The key advantage: the physical camera sensor is not involved in the process. The anti-fraud system relies solely on pixel analysis, which is significantly more complex. Using a virtual camera eliminates recapture artifacts (monitor → camera): no glare, no color distortion, no moiré effect — the video looks as if it was captured directly from the camera.

In the MITRE ATLAS/iProov test environment, this technique allowed the red team to successfully complete KYC verification under a false identity.

3.2. Advanced Techniques: v4l2loopback and API Injection​

For Linux systems, the v4l2loopback tool creates virtual Video4Linux2 devices that are indistinguishable from real ones for any application using the standard V4L2 API (Zoom, Skype, Google Meet, Discord).

For mobile devices, there are apps like Virtual Camera: Live Assist for Android that replace the standard camera feed with an incoming video stream. This tool runs on standard, non-rooted devices, reducing the likelihood of detection by basic system integrity checks.

3.3. Emulators and the Attack Chain​

An attacker can run a KYC app in an Android emulator (BlueStacks, Nox) and then use OBS Virtual Cam to transmit pre-recorded deepfake video to the emulator as a "camera feed." This multi-layered technique allows for bypassing both liveness checks and device fingerprinting, especially if the emulator is configured correctly (IMEI and Android ID spoofing).

In 2025, the MITRE ATLAS research group, with the participation of iProov, officially confirmed this attack vector by adding deepfake KYC threats to the ATLAS knowledgebase, which is used by the red team for threat modeling against AI systems.

Part 4. Real-World Examples of Attacks on Exchanges and Banks​

4.1. Binance: A Direct Target of Deepfake Attacks​

Binance actively monitors and prevents attacks where carders use AI to replicate users' faces in an attempt to bypass facial recognition systems and gain unauthorized access to accounts. Carders collect data from social media, leaked IDs, and even random videos.

The attack can involve not only a technological but also a social component: carders call the victim, posing as Binance support, and request "additional verification," during which they collect biometric data or persuade them to install malware.

4.2. Revolut, Kraken, OKX, and other platforms​

Platforms that rely solely on photo ID and selfies (Revolut, Kraken, OKX, Bybit) are vulnerable to attacks via generated deepfake images. Analysts demonstrated how a passport downloaded from Pinterest successfully passed KYC on some exchanges.

In December 2025, iProov published research suggesting that readily available face-swapping tools can be used for injection attacks on mobile KYC processes in financial and cryptocurrency apps.

4.3. FTX and the $5.6 million theft via deepfake​

In one of the most high-profile cases, carders used AI facial modification tools to impersonate former clients of the collapsed FTX exchange during video calls. As a result, they received $5.6 million from two companies handling creditor claims.

4.4. Scale of the threat: statistics and forecasts​

50% of financial frauds in 2025 will involve AI and deepfakes. The number of deepfakes worldwide has increased by 3000% over the past year, and total losses from deepfake fraud alone since 2019 have amounted to almost 900 million. The number of deepfake attacks on Binance has increased by 30900 million.

Part 5: What banks do and what you can do​

5.1 Passive liveness detection​

Conventional systems that simply require blinking or turning your head no longer work. Carders easily reproduce these movements using real-time deepfake tools.

Advanced systems (FaceTec, iProov) use 3D biometrics and depth analysis, multimodal verification, and high-frequency artifact analysis. FaceTec successfully stopped all spoofing and bypass attempts in an independent test in 2025.

5.2. Multi-channel verification​

Banks are implementing a combination of knowledge, devices, and biometrics, including verification through trusted devices (linked to an account) and second-channel notifications linked to previous transactions.

Conclusion: The Battle of AI vs. AI​

Deepfake attacks on KYC are no longer a lab experiment or a theoretical threat. They're a fully-fledged industry worth billions of dollars, accessible to any carder with a $20 budget and 30 minutes of free time. The pandemic has forever changed the approach to verification, making remote identification the standard. Now, this standard is under attack.

Three key takeaways:

1. You can create a complete synthetic identity for $20 in 30 minutes. StyleGAN generates a face, darknet templates create an ID, and DeepFaceLive replaces the face in real time.
2. Anyone with public photos online is already a potential target. Modern face-swapping tools require only a few images to create a convincing deepfake model.
3. The battle is shifting to real-time AI algorithms. Simple liveness checks are no longer sufficient. The future lies with 3D biometrics, multimodal analysis, and hardware keys.

We stand on the threshold of a new era in digital identity. The same technology that creates indistinguishable digital doubles is learning to recognize them. The arms race is just beginning. Staying informed and critically evaluating any remote verification is the only way to avoid becoming a victim in this algorithmic war.

A quick one-line reminder:
"A public photo on social media is already half a face. StyleGAN can generate the missing part for $5. DeepFaceLive and OBS will help you pass KYC in 20 minutes."