
An investigation by MIT Technology Review revealed that dozens of Telegram groups are selling tools designed to bypass security measures at major banks and cryptocurrency exchanges.
At a money laundering center in Cambodia, an employee opened a banking app on his phone. When the app asked for a profile picture, he selected a photo of a 30-year-old Asian man.
Next, when the app prompted him to open the camera for live facial verification, the perpetrator showed a still photo of a woman completely unrelated to the account owner. After about 90 seconds of fumbling to fit his face into the frame as required by the app, he successfully accessed the account.
This technique, shared by Ngo Minh Hieu (a cybersecurity expert), reveals a troubling issue: tools that "crack" the customer identification process (eKYC) are being openly sold on Telegram.
Banks' security measures are designed to verify users as "real people" and that their faces match their identification documents. However, criminals are circumventing this using a tool called Virtual Camera (VCam). Instead of using real data streams from the phone's camera, this tool allows criminals to "inject" video files, images, or even deepfakes into the application, bypassing the security system.
As financial institutions roll out new security measures, it creates an endless cycle of "chase" between criminals and the financial industry.
During the first two months of investigation this year, MIT Technology Review Authorities have identified 22 public Telegram channels and groups (in Chinese, Vietnamese, and English) that specialize in advertising circumvention tools and stolen biometric data. These programs infiltrate phone operating systems or banking applications, allowing users to bypass regulations on everything from major cryptocurrency exchanges like Binance to reputable banks like BBVA (Spain).
“Specialized banking services – handling dirty money,” read the profile of a now-deleted Telegram group, accompanied by a thumbs-up icon. “Secure. Professional. High quality.” Many channels with thousands of members regularly advertise: “We handle all types of KYC verification,” “Guaranteed smooth, error-free operation.”.
Telegram stated that after reviewing the accounts, they removed them for violating their terms of service. However, these online black markets easily reappear, and many other channels advertising similar tools are still operating.
Banks and the "butchers"“
The surge in KYC circumvention techniques coincides with the expansion of scam networks globally. Banks and cryptocurrency exchanges are under immense pressure from illicit funds. Countries like Vietnam and Thailand are forced to tighten banking regulations, increase customer verification requirements, monitor fraud, and strengthen anti-money laundering measures in the cryptocurrency industry.
Chainalysis, a US blockchain analytics company, estimates that approximately $17 billion will have been stolen in cryptocurrency scams by 2025, up from $13 billion in 2024. Meanwhile, the United Nations Office on Drugs and Crime warned in a recent report that the expansion of Asian criminal organizations in Africa and the Pacific has helped the industry “significantly increase its profits.”
Pressure from regulators and enormous revenue have made KYC bypass services a focal point in the dark market. While estimates vary, cybersecurity experts generally agree on the increasing trend of these attacks. Specifically, according to a report from biometric authentication company iProov, virtual camera attacks globally in 2024 are more than 25 times higher than in 2023. Simultaneously, Sumsub – a provider of eKYC services – also reported that multi-step fraud attempts (including those using virtual cameras) nearly tripled among its clients last year.
The three financial institutions named as targets on Telegram – Binance, the world's largest cryptocurrency exchange, along with BBVA and Revolut (UK) – all affirmed their awareness of these methods and considered it a common challenge across the industry. A Binance spokesperson stated that they “have observed similar attempts to breach control mechanisms,” adding, “We have successfully thwarted these attacks and are confident in our systems.” BBVA and Revolut declined to comment on whether their security systems had ever been compromised.
It's difficult to know the exact success rate of criminals, as companies often only discover they've been bypassed after the fact, or they choose not to report it. Artem Popov, a leading fraud prevention expert at Sumsub, candidly shared: “The scariest thing is what we don't see. There are always “dark areas” in attacks that neither the system nor the authentication provider is aware of.”.
How criminals circumvent compliance regulations.
While advertisements about the vulnerability sound simple, successfully bypassing it is extremely complex and often involves multiple methods. Some channels offer services to "jailbreak" phones so criminals can force the device to run a virtual camera (VCam) instead of the default camera. Other methods involve "injecting" code into banking apps to direct them to retrieve data from the VCam. Either way, VCam is used to bypass eKYC verification layers using fake images or videos.
Sergiy Yakymchuk, CEO of Talsec (a cybersecurity company for financial institutions), reviewed data from these Telegram channels and confirmed they were entirely consistent with the actual tactics used to attack his clients. His team received requests to handle approximately 30 VCam-based attacks in the past year, a sharp increase from fewer than 10 in 2023.
Yakymchuk stated that criminals are becoming increasingly sophisticated, simultaneously infiltrating both phones and the source code of financial applications. Before transmitting data to the virtual camera, they also combine stolen biometric data with deepfakes.
“"Previously, simply decompiling a banking app and sharing it on Telegram was enough," he said. "Now it's no longer that simple, because of the eKYC security layers, forcing them to use more sophisticated methods."”
For money launderers, bypassing eKYC has “become essential, as fraud rings need to move money around,” said Hieu, the researcher who shared the illustrative video. A reformed former hacker and now a cybersecurity advisor to the Vietnamese government, Hieu runs a non-profit organization dedicated to combating fraud and assisting law enforcement in investigating money laundering cases.
He described how the scams work: Victims' money is transferred into bank accounts controlled or leased by the money laundering network, commonly referred to colloquially as "water houses." The money launderers use eKYC bypass tools to access the accounts and quickly move profits before converting them into digital assets, often the stablecoin Tether.
These transactions typically take place in just seconds and are meticulously orchestrated. "They are very familiar with the account verification or authentication processes of banks," Hieu observed.
This is the edited version of the content, which is concise, accurate, and retains journalistic integrity and ease of understanding:
The never-ending chase
The surge in money laundering from cyber scams has led to financial institutions being scrutinized more closely than ever before. In 2023, Binance pleaded guilty in a US federal court to failing to implement adequate anti-money laundering measures. Then, last October, the exchange's former CEO, Changpeng Zhao, was pardoned by former President Donald Trump.
However, recent analysis from the International Consortium of Investigative Journalists (ICIJ) shows that after Zhao pleaded guilty, more than $400 million continued to flow into Binance from Huione Group – a Cambodian company sanctioned by the US for being considered a key link in money laundering operations from romance-based investment scams.
For its part, Binance asserts that it possesses a “state-of-the-art security system” that has prevented billions of dollars in fraud, and that it handled over 71,000 requests from law enforcement agencies in 2025.
However, John Griffin, a finance and blockchain expert at the University of Texas (Austin), remains skeptical about the security of the exchanges. “They’re hyping up the changes, but the reality is criminals are still using their exchanges,” Griffin stated. “That shows vulnerabilities still exist.” (In response, Binance “rejected the vague conclusions” from Griffin’s work tracking illicit money flows through exchanges like Binance, Huobi, OKX, and Tokenlon, calling the information “misleading, even completely inaccurate.”)
Binance also noted that some of the “bypass” services advertised on Telegram are actually other scams, raising questions about the scale of success of these attacks. A spokesperson for the exchange stressed that accessing these services “puts individuals at serious security risk,” adding that even when access appears to be granted, accounts are often locked by internal controls, preventing criminals from making transactions or withdrawing funds.
Regulatory bodies around the world are also working to catch up. In Thailand, where people's bank accounts are frequently used as intermediaries for scams originating from Myanmar and Cambodia, new laws have tightened eKYC oversight, limited daily transaction limits, and given authorities more power to suspend accounts. The US Financial Crimes Enforcement Network (FinCEN) also issued a warning about the risks of deepfake eKYC and virtual cameras from late 2024, and encouraged platforms to monitor unusual transaction patterns to identify money laundering activities.
For criminals, the new regulations only make it more difficult to "bypass" the rules, not to completely stop them. Mr. Hieu commented: "The new measures only make it more time-consuming for them, but they can't prevent it. It's just a matter of time."“
According to Fiona Kelliherarchive, MIT Technology Review – April 2026