An underground market is targeting one of digital finance’s core trust mechanisms

MIT Technology Review reports that scammers are using illicit tools sold on Telegram to bypass the identity checks used by banks and crypto platforms, especially “Know Your Customer” or KYC facial scans. In its investigation, the publication identified 22 public Chinese-, Vietnamese-, and English-language Telegram channels and groups advertising bypass kits and stolen biometric data. The tools are presented as ways to get around compliance systems that are supposed to confirm both that an account belongs to a real person and that the user’s face matches the identity documents originally submitted.

The implications are serious because KYC checks are foundational to how digital finance screens for fraud, mule accounts, and money laundering. If those checks can be commoditized into something sold openly through messaging channels, then what appears to be a security layer may increasingly function as a market opportunity for criminal specialists. The story is not just about one clever exploit. It is about a supply chain for identity evasion.

The reporting grounds that concern in a vivid example. A scammer working from a money-laundering center in Cambodia demonstrates a Vietnamese banking app asking for a photo tied to the account and then a video liveness check. Instead of using a legitimate live camera feed, the scammer uses a mismatched image and still passes. According to the investigation, this is possible because many bypass kits replace the expected live camera stream with other videos or images through a virtual camera technique.

The weakness lies in how “liveness” can be faked at the device level

The key technical point in the supplied text is that the tools typically do not defeat biometric systems by perfectly imitating a real user at the platform level. Instead, they compromise the phone operating system or app environment so that the camera feed itself can be swapped out. Once a liveness check accepts a fake input as if it were real-time video, the rest of the security process can collapse.

That matters because many users assume facial checks are inherently stronger than passwords or basic document uploads. In principle, they often are. But the MIT Technology Review reporting shows how their effectiveness depends heavily on the integrity of the device and application pipeline. If scammers can control what the app sees, then the face check may become less a biometric safeguard than a presentation test vulnerable to tooling and fraud services.

The investigation says these kits claim to target institutions ranging from major crypto exchanges such as Binance to banks including Spain’s BBVA. Some channels had thousands of members or subscribers. Even if not every claim in those channels is valid, the scale of advertising described in the source material suggests a mature enough market to merit concern.