•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Biometric authentication vulnerabilities are increasingly being exploited by cybercriminals to bypass bank security systems, according to reporting based on a two-month investigation earlier this year. The investigation identified 22 channels and Telegram groups advertising toolkits in Chinese, Vietnamese and English that claim to defeat security measures and extract biometric data.
The advertised software suites use multiple techniques to infiltrate mobile operating systems and banking applications. They also claim to help users bypass Know Your Customer (KYC) checks imposed by financial institutions, including major crypto exchanges such as Binance and banks such as Spain’s BBVA.
Telegram said it removed accounts after reviewing them for terms violations. However, the report says online marketplaces continue to operate and that many channels promoting similar tools remain active.
Chainalysis estimates that about $17 billion was stolen through crypto-related fraud and scams in 2025, up from $13 billion in 2024. The UN Office on Drugs and Crime has warned that the expansion of money-laundering networks from Asia to Africa and the Pacific has helped the industry generate profits.
Security researchers also report rising biometric-related attacks. iProov estimates that biometric-to-identity attacks via camera spoofing were more than 25 times more common globally in 2024 than in 2023. Sumsub reports that multi-step fraud attempts, including bypassing camera verification, nearly tripled last year among its clients.
Researchers say criminals increasingly rely on tools that inject malware into a device’s operating system to trigger a virtual camera (VCam). The VCam replaces the real video stream with prerecorded or altered images or video, with deepfake technology used to create convincing fake identities.
Sergiy Yakymchuk, CEO of the cybersecurity firm Talsec, said that “previously, cracking the app was enough; now criminals must interfere with the OS to counter thicker biometric protections.” He said his team has assisted about 30 VCam-based attacks in the past year, compared with fewer than 10 in 2023.
For money-laundering networks, bypassing KYC is described as a critical step. The report says proceeds are moved through “garbage” bank accounts—rented or identity-stolen—and then quickly converted into stablecoins to launder.
The transactions can occur within seconds under tight controls, and attackers are said to understand banks’ verification and authentication processes.
Three financial institutions—Binance, BBVA and Revolut—said they are aware of these breaches and described them as a shared industry challenge.
In 2023, Binance pled guilty in a U.S. federal court for AML-related violations. The report also cites investigations by the ICIJ indicating that after Zhao Changpeng’s confession, more than $400 million continued to flow to Binance from Huione Group, a Cambodia-based company sanctioned by the U.S. Treasury as a money-laundering nexus.
Binance said it has an “advanced security system” to prevent billions in fraud and that it processed more than 71,000 law-enforcement requests in 2025. However, John Griffin of the University of Texas said exchanges cannot be considered completely secure because criminals continue to exploit them.
The report says global regulators are tightening standards, including FinCEN’s warning about KYC fraud at the end of 2024. Hieu argues that no new security barrier will stop criminals for long, describing the situation as an ongoing cat-and-mouse dynamic.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
