How Consumers—and Fraudsters—are Circumventing ID Verification on Crypto Sites
By Brittany Allen /
7 Jul 2021
As cryptocurrency trading gains momentum and becomes a mainstream investment strategy, we are naturally seeing many crypto trading sites become prime targets for fraudsters as well. Afterall, fraudsters follow consumer trends with eagle eyes and act quickly when certain types of merchandise (or currencies) rise in popularity. Our Q1 2021 Digital Trust & Safety Index bears this out as well: crypto exchanges across Sift’s network had the second highest attempted fraud rate of any vertical in 2020.
The very nature of cryptocurrency—the ability to buy and sell it anonymously—is part of what makes it so attractive for fraudsters. By using either stolen credit cards or account credentials to trade anything from Bitcoin to non-fungible tokens (NFTs), cybercriminals can liquidate accounts and vanish into thin air.
Businesses have successfully fought back against the wave of crypto-hungry scammers, however, by implementing fraud prevention solutions on both the back-end (with ML-based, fraud-prevention technology) and the front-end (with “Know Your Customer” technology). And just like a cat-and-mouse game, fraudsters appear to have found ways to get around these Know Your Customer (KYC) systems.
KYC is largely defined as a process that businesses use to verify that a given customer is who they say they are. This includes verifying a customer’s ID but it also encompasses additional pieces of information that help determine customer legitimacy by ensuring the different pieces of information match up to the “true” user.
Our Trust and Safety Architect team has been following conversations taking place across the web, particularly on open forums on Reddit and Telegram, and found that frustrated consumers and fraudsters alike are using new tricks to bypass ID checks in order to gain access to crypto exchanges they normally would be barred from using. Many consumers are looking to beat KYC requirements for a wide array of reasons; some hold the belief that enforcing identification on these sites goes against the ethos of crypto trading; others are simply minors (not to be confused with crypto miners) who aren’t legally allowed to trade; still others want to avoid the tax obligations.
And, of course, scammers in the ever-growing Fraud Economy trying to use stolen credentials or payment information are working together to gain access to valuable and easily laundered cryptocurrency. Their techniques range from selling photos of Driver’s Licenses and selfies to using cell phones to record rotating synthetic faces in order to pass facial recognition checks. Below are some examples of the KYC workarounds that we’ve discovered being shared in various forums:
Driver’s License + Selfie: Many crypto sites require users to upload official identification/driver’s license as one of the steps to gain access to their sites. When paired with a selfie of the person, this step in the signup flow is designed to automatically accept or deny access. We found several examples of forged ID cards and selfies being sold to would-be crypto traders.
Synthetic Biometrics: Similar to the above, some crypto exchanges require more than a selfie, but a live, moving face in order to gain access. Fraudsters have been peddling digital rendering of faces to crypto enthusiasts looking to beat automated verification tools.
VPN: As we found in a Reddit forum called “Guide to crypto for USA under 18,” minors and fraudsters alike have been able to gain access to crypto exchanges through a relatively simple process that hinges upon using virtual private networks. By changing their IP addresses to ones originating in countries with fewer crypto-specific regulations, they may be able to bypass any KYC systems altogether.
Fraud-as-a-Service: We’ve tracked fraudsters advertising their services to the “fraud-curious” across Telegram as a way to steal from businesses. Likewise, we now regularly see professional scammers offering their services as stand-ins who will agree to complete KYC on behalf of someone else, either using their own IDs and faces or those of a third party looking to make a quick buck.
While those eager to avoid ID checks have found workarounds to certain KYC implementations on crypto sites, these verification tools serve an important purpose: ensuring legitimate and of-age consumers can access the sites that they want to visit and do business on. As importantly, crypto exchanges leverage these tools to stay in compliance with government regulations.
While KYC technology can be effective, businesses should use it as part of a layered approach to prevent nefarious activity—particularly fraud. When combined with an ML-powered Digital Trust & Safety strategy, fintech businesses, and crypto exchanges, in particular, can stop bad actors both on the front end and with every transaction, all without disrupting the experience for legitimate transactions.
Brittany Allen is a Trust and Safety Architect at Sift. She has more than a decade of experience combating e-commerce marketplace fraud at companies such as Etsy, Airbnb, 1stdibs, and letgo. Her current role focuses on trust and safety education, developing industry best practices and strategies, and representing the merchant's voice at Sift.