Deepfake Injection Attacks Jumped 783% — and Single-Factor Biometrics Still Dominate KYC

An A.I. tool called JINKUSU CAM can now impersonate your face in real time — matching your expressions, tracking your facial movements — and use that fake version of you to pass identity checks on Coinbase, Binance, and Kraken. It's not a concept. It's already deployed.

If you've ever held your phone up and turned your

If you've ever held your phone up and turned your head side to side to verify your identity — for a bank, a crypto exchange, even a new app — this story is about you. That selfie check you trusted? Criminals are building tools specifically designed to beat it. According to the World Economic Forum's Cybercrime Atlas published in January, researchers examined seventeen face-swapping tools and eight camera injection tools. Most of them could get past standard biometric onboarding. According to Live Bitcoin News, JINKUSU CAM uses real-time facial mesh tracking to map a real person's expressions onto a synthetic face — and it targets the biggest names in crypto. The deeper question isn't whether one tool works. It's whether the entire system we've built around single-factor biometrics — the "take a selfie and you're verified" model — was ever strong enough to hold.

According to the World Economic Forum report, injection attacks — where fake video gets fed directly into a verification system, bypassing the camera entirely — jumped nearly eight hundred percent in twenty twenty-four. That's not a gradual rise. That's a cliff. And according to Jumio, those attacks kept climbing in twenty twenty-five, up another eighty-eight percent year over year. The trend isn't flattening. It's steepening. What does that look like in practice? According to Biometric Update, a single financial institution in Indonesia recorded over eight thousand attempts to bypass its liveness checks using A.I.-generated deepfake images — in just eight months, between January and August of twenty twenty-five. Eight thousand attempts. One bank. That attack used more than a thousand fraudulent accounts spread across forty-five mobile devices. This isn't a lone hacker in a basement. It's coordinated, scaled fraud.

And the cost of entry has collapsed. According to Sumsub, a ready-made synthetic identity — a fake person with a fake face — costs about fifteen dollars. A custom deepfake runs between ten and fifty dollars. For the price of lunch, someone can build a face that doesn't exist and use it to open a financial account. That means this isn't limited to sophisticated criminal networks anymore. Anyone with a credit card and a motive can try.

Why do regulators keep pushing biometrics as the answer

So why do regulators keep pushing biometrics as the answer? That's the contradiction at the center of all this. Know Your Customer rules — K.Y.C. — require financial institutions to verify that you are who you say you are. And increasingly, that means collecting your face. But according to Signzy, Gartner predicts that by twenty twenty-six, roughly a third of enterprises won't consider face biometric verification reliable on its own. Meanwhile, Coinbase is facing a lawsuit in Illinois for collecting facial scans without consent during K.Y.C., potentially violating the state's Biometric Information Privacy Act. Fines could reach into the millions. So companies are getting sued for collecting the very biometric data that regulators say they need to collect. And the biometric data they're collecting? Deepfakes are engineered to fake it.

The core problem is a question most verification systems never ask. They ask, "Does this face match our records?" They don't ask, "Is a real person actually sitting in front of this camera right now?" Deepfakes exploit that gap. They deliver biometric data that matches — without a real human being present. For anyone who's ever done a video selfie to open an account, that should land hard. The system checked your face. It didn't check whether you were real.

Now, the detection side isn't standing still. Advanced deepfake detection frameworks have reached about ninety-seven percent accuracy under controlled lab conditions. The U.K. Home Office ran a Deepfake Detection Challenge in twenty twenty-four, and top models scored F-one scores above ninety percent on hidden test data. That sounds reassuring — until you consider the gap between a lab and the real world. In deployment, attackers have months to iterate. Systems run unsupervised. And injection attacks bypass the camera entirely, feeding synthetic video straight into the verification pipeline at the A.P.I. layer. Ninety-seven percent in a lab doesn't mean ninety-seven percent on your phone at midnight when no human is watching.