KYC Verification Evasions Leads to Exploitation of Virtual Cameras & App Emulators

mins read time
CloudSEK's Threat Intelligence Team recently uncovered a comprehensive tutorial on bypassing selfie verification in a Russian-speaking Cybercrime Forum.
Noel Varghese
Published on
June 26, 2023
Blog Image

Category:  Adversary Intelligence

Industry: Banking & Finance

Motivation: Profit

Region: Global


C - Fairly Reliable

3 - Possibly True

Executive Summary

CloudSEK's Threat Intelligence Team discovered a tutorial within a Russian-speaking Cybercrime Forum, which provides a step-by-step guide on how to bypass selfie verification. Conducting individual live selfie verification is a common method to conduct KYC (Know Your Customer) verification and verify if the data points from registering customer matches with the identity picture present on the legal identification document such as SSN, Drivers license, Aadhar card, PAN card and more.

In the evolving landscape of digital finance, threat actors are increasingly exploiting open-source emulators and virtual cameras to bypass KYC (Know Your Customer) verification processes on fintech platforms. This exploitation leads to the creation of fraudulent accounts, posing substantial financial and reputational risks. 

While we haven’t noticed any active threat actors actively targeting the Indian sub-region, the current step-by-step guide targeted Revolut - a United Kingdom-based financial technology company that offers mobile-based banking services and money transfer services. Additionally, these services are catered toward brands operating in the Cryptocurrency Industry as well, such as Gemini and LiteBit

The potential for these methods to facilitate money laundering activities is a serious concern. For organizations operating in the Banking, Financial Services, and Insurance (BFSI) sector, understanding these threats is of paramount importance.

Possible mitigation to prevent abuse are:-

  • Using Robust facial recognition algorithms to distinguish real and fake images/videos
  • Using Behavioral Analysis and Anomaly detection by analyzing behavior patterns and other contextual data such as Root detection and virtual environment detection

The implications of these threats are far-reaching, affecting not only the security of financial transactions but also the trust that customers place in these platforms. 

Industry Context

Biometric Verification has been a game-changer for customers to comply with KYC regulations. These have been imposed by Banks, Crypto, and other Fintech platforms. Video KYC, Selfie Verification are the norm now in this digital world. It can be done without the need for the customer to physically visit the bank/ authorized center for each and every KYC procedure. The following table mentions entities that have Selfie Verification enabled. Once it is completed successfully, the customers can commence operations for trading/selling on the platform.

Entities who have Digital Verification Enabled







Information from the Underground Forums

CloudSEK's Threat Intelligence Team discovered a tutorial within a Russian-speaking Cybercrime Forum, which provides a step-by-step guide on how to bypass selfie verification. While monitoring discussions on other cybercrime forums we discovered another set of  using the same software to bypass Selfie verification to generate Revolut accounts.

Figure 1 - The tutorial posted on cybercrime forum frequented by cybercriminals focussed on Social engineering and Phishing

  • Revolut is a UK-based financial technology company that offers mobile-based banking services, including money transfers, currency and cryptocurrency exchange, budgeting tools, and more. It operates digitally, providing users with a convenient, app-based approach to personal and business banking.
  • Drop Accounts on Banking / Payment applications, are commonly requested and purchased via cyber criminals, to facilitate the transfer of drop amounts, often sourced from illegitimate sources.
  • The implementation of a verification process is a critical measure intended to minimize the prevalence of automated or malicious accounts, as well as to curb fraudulent activities. This step is essential in establishing Know Your Customer (KYC) protocols, which ensure the legitimacy and integrity of users on the platform.
  • Identity verification through selfies has become a widespread practice across various digital platforms, including financial services, social media, and online marketplaces. Despite its widespread adoption, this method isn't foolproof and can be susceptible to bypassing unless appropriate security measures are implemented.
Figure 2 - Forum Post where the tutorial was abused to bypass Revolut’s KYC

  • The threat actor published the tutorial, which named the following apps that can be abused to pass the verification process on Revolut:
  • NOTE Studio 27.2.4
  • OBS Virtualcam Plugin
  • Bluestacks from version 5.10 
  • The above mentioned software are used for various purposes:
  • NOTE Studio - Open Source Suite for video recording and live streaming, often used by content creators for platforms like Twitch and YouTube. It allows users to capture, composite, encode, and stream video content efficiently
  • OBS VirtualCam Plugin - for setting up a virtual camera, which will capture a snapshot of an identifiable face that the actor would like to use, from a dummy video that is provided as input. 
  • Bluestacks - This is an emulator software that can be used to install and test android applications in a portable manner.

Verification Process Through Emulator

The selfie verification process takes place once the phone number is verified via OTP, with the account credentials set by the customer. Since the verification process is abused via desktop using an emulator, the app can possibly get tricked into accepting a pre-manipulated image as input to complete the verification process.

The same verification method can be abused to generate accounts, in bulk on banking platforms and finance that have enabled KYC.

Figure 3 - Picture used for verification



Figure 4 - Previous Discussions surrounding Facial Recognition Bypass for creation of Revolut Accounts

        Figure 5 - A Similar advertisement was observed on a Russian-speaking cybercrime forum for bypassing verification, which has been observed to be impacting the Crypto Industry and Foreign Banks

 Figure 6 - Discussion on an Underground Forum indicates previous exploitation of the selfie verification process for Revolut

Related Posts
Blog Image
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Blog Image
July 11, 2023

Breaking into the Bandit Stealer Malware Infrastructure

CloudSEK's threat researchers discovered a new Bandit Stealer malware web panel on 06 July 2023, with at least 14 active instances.

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.