A new service has successfully passed Know Your Customer or else “KYC” checks on several cryptocurrency exchanges. The service claims to utilize artificial intelligence (AI) “neural networks” and “generators” to manufacture phony driver licenses and passports.
The website called OnlyFake creates authentic-looking fictitious passports and driver’s licenses from 26 nations, including the US, UK, Australia, Canada, and several EU member states. It accepts payments in a variety of cryptocurrencies via Coinbase’s business payments service.
On February 5, 404 Media revealed that it successfully got around OKX’s KYC verification process by utilizing a picture of a British passport that the outlet had created using the website. The ID looked to be lying on a bedsheet, as though someone had taken a picture of it.
Users of the website appear to have been successful in utilizing the IDs to get around verification at some cryptocurrency exchanges and financial service providers, such as Kraken, Bybit, Bitget, Huobi, and PayPal, according to a Telegram channel that Cointelegraph was able to view.
The service could benefit cryptocurrency scammers and hackers who want to register bank accounts and exchanges using fictitious documents to conceal their true identities and make themselves harder to find.
Responds to Allegations of Potential ID Fraud in Crypto Exchanges
The owner of OnlyFake “John Wick,” told 404 Media that the IDs might get over KYC requirements at exchanges including OKX, Kraken, Bybit, Huobi, Coinbase, and Binance, as well as the neobank Revolut which takes cryptocurrency.
A representative for OKX responded to Cointelegraph, saying that the company “condones, accepts, or disregards fraudulent conduct” and that it is looking into the claim with its teams and an outside partner.
The statement said, “We are dedicated to actively combating fraudulent activity on our platform and pursuing the highest standards of compliance.” “OKX is fully addressing the challenge of the abusive use of AI to conduct fraudulent activity, which is an evolving issue facing the industry.”
However, according to its terms of service, the OnlyFake website does not “manufacture forged documents as it is illegal,” and its “templates are only for use in movies, TV shows [and] web illustrations.”
It is acknowledged that using the website to create a fake document takes less than a minute. As per a Telegram thread viewed by Cointelegraph, users have the option to upload their photo or select one at random from a “personal library of drops and not using a neural network.”
Numerous examples of fake passports and driver’s licenses appear to spread out on kitchen countertops, sheets, carpets, and desktops just like they would if used for online verification shared on a related Telegram channel.
Additionally, OnlyFake allows users to spoof image metadata, including the GPS location, time, date, and device used to take the purported photo. This is useful because some identity verification services use this information to verify the validity of the photos.
Cryptocurrency scammers and hackers have long employed techniques to conceal their true identities while forging documents and gaining access to cryptocurrency exchanges.
Concerns About KYC Vulnerabilities Are Growing Despite Deep Fake Threats
Blockchain security company CertiK discovered an underground market in late 2022 where people were offering as little as $8 for the sale of their identities. In exchange, they would register bank and exchange accounts and serve as the verified face of fictitious cryptocurrency businesses.
The widespread, easy access to AI deep fake tools has also raised concerns from crypto industry executives on the effectiveness of video verification used in some identity checks.
Binance chief security officer Jimmy Su told Cointelegraph in May 2023 that there was a rise in scammers attempting to dupe exchange KYC checks using deep fakes and warned the videos would soon be convincing enough to trick human operators.
Cointelegraph contacted Coinbase for comment on the service using its commerce product but did not receive an immediate response.
Binance, Kraken, Bybit, Bitget, Revolut, Huobi, and PayPal did not immediately respond when contacted for comment on the users alleging to have bypassed their identity checks.