An active cybercriminal operation, codenamed ‘Grey Nickel’, has been systematically bypassing identity verification systems used by banks, crypto exchanges, e-wallets, and payment platforms around the world.

iProov’s Security Operations Center observed live operations of the threat actor, codenamed ‘Grey Nickel,’ targeting organisations globally with concentrated attacks against banking, crypto exchanges, e-wallets, and digital payment platforms in Asia-Pacific, EMEA, and North America. During its investigation of ‘Grey Nickel’, the iSOC team also documented an unprecedented escalation in attacks specifically designed to bypass Know Your Customer (KYC) processes across the financial services sector. 
 
Financial services organisations have long been prime targets for relentless fraud attacks, both by lone perpetrators and highly organised criminal networks. Unfortunately, many of the organisations targeted by ‘Grey Nickel’ and the KYC attackers had employed liveness detection technologies that appear to be designed to prevent only presentation attacks as opposed to AIfuelled digitally injected attacksThe gap between the identity assurance that these technologies are able to provide and the identity assurance needed has become a profitable sweet spot for cybercriminals.  

iProov advises organisations to use its spectrum of identity assurance methodology to determine the most suitable verification technologies, tailored to each use case, by evaluating the contextual knowledge of the individual and the risk of the activity with the organisation’s risk appetite. 

“These criminal groups understand that banking, crypto exchanges, e-wallets, and digital payment platforms represent some of the highest-value targets for identity fraud,” said Dr. Andrew Newell, Chief Scientific Officer of iProov. “It is important to understand that these aren’t opportunistic attacks; they represent highly coordinated, specialized operations that pose an existential threat to the digital transformation of banking.”


iProov’s investigation has identified several distinct criminal operations: 

  • Grey Nickel: Systematic Operations
    • A sophisticated threat actor group, codenamed “Grey Nickel,” has been conducting systematic attacks against identity verification systems since July 2023, primarily targeting organizations in the Asia-Pacific region, with recent expansions into North America and EMEA. This group employs advanced face-swap technology, metadata manipulation, and injection techniques specifically designed to defeat single-frame liveness-based verification systems used by banks and payment platforms.
  • Advanced Virtual Camera Networks
    • Separate criminal groups have developed and distributed specialized mobile applications that enable KYC bypass on both Android and iOS devices. These applications inject pre-recorded or manipulated video feeds during identity verification, with some variants now incorporating lip-syncing capabilities to defeat voice-based challenges.
  • Deepfake-as-a-Service Operations
    • Independent criminal actors have established service-based models, offering custom deepfake creation and comprehensive KYC bypass packages specifically designed to target cryptocurrency exchanges and payment platforms. These operations combine stolen identity databases with AI-generated media to create “synthetic identities” and enable large-scale identity fraud.
  • AI-Powered Fraud Tools
    • Criminal forums now actively share techniques using commercially available AI platforms to generate convincing deepfake videos, specifically designed to bypass primitive liveness technologies employed by some financial institutions. 

The financial consequences of these attacks are reaching unprecedented levels: 

  • In 2024, a Hong Kong employee of a British multinational company fell victim to deepfake scammers for US$25.6 million when criminals impersonated company executives
  • More than half of the organizations surveyed in a recent Biocatch Report admitted to losing between $5 and $25 million to AI-powered attacks in 2023.
  • A United Nations report noted a rise in AI-driven crimes involving deepfakes, demonstrated by more than a 600% increase in mentions of deepfake-related content targeting criminal groups in Southeast Asia across monitored online platforms in the first half of 2024. 

A critical global challenge in combating cybercrime against the financial services sector is the widespread lack of comprehensive data from these institutions. This absence of consistent, mandatory incident reporting across many jurisdictions prevents regulators from accurately assessing the scale of illicit activities, which hinders effective regulatory action. While regions like the European Union are advancing proactive measures, with bodies such as the European Banking Authority proposing the adoption of the high-assurance EU Digital Identity Wallet or an equivalent to comply with AML rules, many nations lag behind. This creates global disparities that cybercriminals can exploit and highlights an urgent need for greater international cooperation and data sharing to drive robust security enhancements and coordinated regulatory intervention. 

Also in the news:

Default ThumbnailLloyds Banking Group secures patent for cybersecurity innovation Default ThumbnailCanadian vendor selected for TSA Employee Screening at Palm Springs International Airport Default ThumbnailThailand drafts rules on biometric SIM registration