Your Face Just Became the Password Criminals Can't Wait to Steal
Imagine you get a text. It looks official — maybe your bank, maybe a government agency. It asks you to verify your identity. You take a selfie, photograph your ID, and move on. You did everything right. Except you just handed criminals everything they need to impersonate you, open accounts in your name, and drain money — without ever touching your password.
A mobile malware called GoldPickaxe is now stealing people's face data — not just passwords — to build AI-generated deepfakes that bypass the face-scanning security your bank uses to protect you.
That's the real story inside Zimperium's latest warning about GoldPickaxe — a piece of malware (malicious software, the kind that hides inside an app and does things without your knowledge) that has evolved to steal something most of us never thought to protect: our biometric data. That means your face, your expressions in motion, the unique way your features are arranged. The stuff you can't change the way you'd change a password.
If that sounds abstract, stay with me. Because this one is personal.
The Scam You Wouldn't Recognize
Here's how GoldPickaxe actually works — and it's sneaky enough to fool careful people.
Attackers disguise the malware as legitimate government apps. Tax forms, pension portals, official ID services. Once you download the fake app, it asks you to do something that feels completely normal in 2025: verify your identity with a face scan and a photo of your ID card. You do it. The app thanks you. You forget about it.
Behind the scenes, those images don't go to any government server. They go straight to criminals who are building a detailed biometric profile — your face, your ID, your banking information all collected together. Then comes the part that should make you stop scrolling: they use that material to generate a deepfake video (an AI-created fake video that looks and moves like you) and use it to pass the face-verification checks your bank uses to confirm you're really you. This article is part of a series — start with Meta Smart Glasses Facial Recognition What It Means For You.
Zimperium tracked active GoldPickaxe infections across five countries. This is not a theoretical future risk. It's happening right now.
Why Your Face Is Now Worth More Than Your Password
Think about what happens when your password gets stolen. You reset it. Takes five minutes, maybe ten if the site is annoying about it. Your bank card gets cloned? They cancel it and mail you a new one. These things are painful — but fixable.
Your face is not fixable. Your face doesn't expire. You can't update it. And here's the uncomfortable truth that the financial industry has been quietly grappling with: the more we rely on face scans to prove who we are, the more valuable stealing that face data becomes to criminals.
Research from the Sumsub 2025 Fraud Report, cited by Gulf Insider, found that 67% of businesses now expect biometric fraud to rise significantly in 2026. That's not a niche concern inside a boardroom somewhere. That's a majority of companies that handle your data already bracing for this.
The underlying problem is something security researchers call a "liveness check" failure — and let me translate that immediately so you don't have to Google it. A liveness check is what your bank's app does when it asks you to blink, turn your head, or smile. It's supposed to confirm you're a real, present human being — not a photo or a recording. The assumption was that a video of someone's face, even a good one, wouldn't pass.
That assumption is now outdated. Deepfake-driven attempts to fool liveness checks surged 704% in 2023, according to Real Eyes. Then they climbed another 300% from 2023 to 2024. The technology criminals use to create fake videos has gotten dramatically better, faster than most banks' detection systems have kept up.
"Fraudsters bypass identity verification using camera injection — feeding pre-recorded deepfake video directly into the camera stream, with security systems unable to detect it isn't a live person." — Security analysis from Zimperium, on the GoldPickaxe attack chain
Camera injection, in plain English, means an attacker doesn't hold up a printed photo to their phone camera. They hack the camera feed itself and replace what it sees with a fake video. The app thinks it's scanning a real face. It isn't. And the terrifying part is that GoldPickaxe makes this scalable — meaning criminals can run these attacks on thousands of people at once, not just one target at a time. Previously in this series: Your Car Is About To Watch Your Eyes And Nobodys Saying Wher.
The Escalation Nobody Warned You About
There's a pattern worth understanding here, because it didn't come out of nowhere.
A decade ago, criminals stole passwords. Banks responded by adding two-factor authentication (a second confirmation step, like a text code). Criminals moved to stealing those codes. Banks added device recognition — checking if the login came from a phone they knew. Criminals started compromising devices. Banks added biometric face checks as the "unfakeable" final layer.
And now criminals are stealing the biometric data itself.
Every time security added a layer, fraud adapted to attack that exact layer. The Identity Theft Resource Center's 2026 report confirmed that device compromise — criminals taking control of your actual phone — has now surpassed old-school scams as the primary threat for adults between 35 and 64. That's not young people being careless. That's the exact demographic that tends to have mortgages, retirement accounts, and health benefits tied to digital logins.
The GoldPickaxe story, first tied to a threat group called GoldFactory by researchers at Group-IB, marks the moment criminals stopped treating biometric data as a privacy side-effect and started treating it as a financial asset. Your face scan isn't just personal information anymore. In the criminal economy, it's closer to a key — one that unlocks bank accounts, loan applications, and identity verification systems across multiple platforms at once.
Why This Matters to You Specifically
- ⚡ It targets normal behavior — Asking someone to verify their face feels routine now. That's exactly what makes this dangerous.
- 📊 It scales industrially — GoldPickaxe doesn't need a human criminal watching each target. It automates the collection and the attack, running on thousands of devices simultaneously.
- 🔮 The damage compounds — Stolen passwords expire. A deepfake built from your face can be reused across different platforms, for different scams, indefinitely.
- 🏦 Banks aren't fully prepared — Liveness checks were designed for the technology of two years ago. The synthetic video tools criminals use now have outpaced many of those defenses.
So What Do You Actually Do?
Look, nobody is saying you should refuse every face scan forever. Banks and legitimate services do use biometric checks — and when done well, with multiple layers of verification, they're still one of the better security tools we have. According to analysis from Proof, effective defense now requires layering biometric checks with device analysis and behavioral monitoring — not replacing one with the other.
But here's what you can actually change right now, tonight, reading this on your phone: Up next: Metas New Glasses Can Log Your Face At A Party And Youll Nev.
Treat an unexpected biometric prompt the way you'd treat an unexpected request to wire money. Pause. Ask yourself: did I initiate this interaction, or did something — a text, a link, a downloaded app — lead me here? Legitimate services almost never need you to scan your face after clicking a link in a message you didn't ask for.
If you've ever looked at a suspicious profile photo and wondered, "Is this person real, or is something off here?" — that instinct is worth trusting more than ever. The question of whether a face is genuine versus digitally constructed is no longer just an abstract worry. It's the exact question at the center of how modern identity fraud works. Tools that help answer that question exist, and knowing they exist is a first step toward not being caught flat-footed.
The most practical thing you can do is simple but counterintuitive: slow down when technology asks you to prove you're human. That moment of friction — the face scan, the ID photo, the selfie — used to be a security feature. Criminals have figured out how to make it the attack itself.
Any unexpected prompt asking you to scan your face, photograph your ID, or verify your identity — especially one that arrived via text, email, or a downloaded app — deserves the same suspicion you'd give a stranger asking for your banking PIN. Your biometric data is now treated as financial currency by criminals. Protect it accordingly.
Here's the question that keeps getting deferred in industry conversations: banks and apps added face verification and told us it was the secure option. They didn't add any clear warning system for when a biometric prompt might itself be the scam. Should they? Or do we accept that in a world where your face is now a financial key, figuring out which door it's opening is somehow on us?
Because right now, the people getting hurt by GoldPickaxe aren't careless. They're people who did exactly what a legitimate app would have asked them to do — and nobody warned them that the prompt they were staring at was the robbery in progress.
Ready for forensic-grade facial comparison?
Full forensic reports with detailed similarity scoring. Results in seconds.
Run My First SearchMore News
Your Face Is Now Your Train Ticket — and Nobody Asked You First
Facial recognition just moved from airports and border control into the everyday train stations of Japan — and the real question isn't whether this is coming, it's whether you'll have any say when it arrives near you.
biometricsYour Bank Thinks You're Safe. The Math Says 7 in 10 Aren't.
Your bank has MFA turned on. Great. But a new report found only 28% of that protection can actually resist a phishing attack—and most banks don't realize the difference. Here's what that means for your account.
biometricsYour Car Is About to Watch Your Eyes — and Nobody's Saying Where That Video Goes
New cars could use biometric sensors to detect if you're too tired or impaired to drive — before a crash happens. The tech exists. The trust doesn't. Here's the gap.
